<html>

<head>
    <title>Scan Remediation Report #150</title>
    <meta http-equiv="Content-Security-Policy"
        content="default-src 'none'; img-src data:; style-src 'nonce-NzgzZDYzOWMtYzNiZi00OTVlLWEyZWQtMzkyMWRmYWVhYmNm'; base-uri 'none';">
    <style nonce="NzgzZDYzOWMtYzNiZi00OTVlLWEyZWQtMzkyMWRmYWVhYmNm">
        body {
            font-family: 'Roboto', Helvetica, Arial, sans-serif;
            color: #4d5155;
            -webkit-font-smoothing: antialiased;
            font-size: 14px;
            background-color: #F7F9FD;
        }

        .report {
            width: 712px;
            margin: 0 auto;
            position: relative;
            background-color: white;
            border-left: 60px solid white;
            border-right: 60px solid white;
            border-top: 20px solid white;
            border-bottom: 20px solid white;
        }

        .header {
            height: 150px;
            display: flex;
            justify-content: space-between;
            align-items: center;
            border-bottom: 1px solid #0094FF;
        }

        .header h1 {
            font-size: 44px;
            color: #333332;
        }

        .header h2 {
            font-size: 26px;
            color: #333332;
        }

        .line {
            border-left: 16px solid #0094FF;
            height: 150px;
            width: 24px;
            position: absolute;
            left: -40px;
            float: left;
        }

        .section {
            width: 100%;
            margin-top: 50px;
        }

        .section.no-margin {
            margin-top: 10px;
        }

        .label {
            white-space: nowrap;
            color: #8c8d8e;
            margin-top: 30px;
        }

        .label:first-child {
            margin-top: 0px;
        }

        .divider {
            border-bottom: 1px solid #0094FF;
        }

        .title h1 {
            color: #ffffff;
            padding: 10px 15px;
            margin: 0;
            font-size: 1.8em;
        }

        .title img {
            display: inline
        }

        table {
            line-height: 20px;
        }

        h1 {
            color: #333332;
            font-size: 24px;
            font-weight: bold;
            margin-bottom: 20px;
        }

        h2 {
            color: #333332;
            font-size: 18px;
            font-weight: normal;
            margin-top: 0;
            margin-bottom: 20px;
        }

        a {
            color: #ff6633;
            text-decoration: none;
        }

        .column-table .value.warning {
            color: #ff6633;
            font-size: 12px;
        }

        .column-table .value.error {
            color: #f32a4c;
            font-size: 12px;
        }

        .info-table {
            margin-right: 50px;
        }

        .info-table td {
            padding: 3px 3px 3px 0;
            border-bottom: 1px solid #ebf0f2;
            vertical-align: top;
            overflow-wrap: break-word;
            word-break: break-all;
        }

        .info-table td+td {
            margin: 20px
        }

        .info-table .name {
            width: 200px;
            white-space: nowrap;
            color: #8c8d8e;
        }

        .info-table .value {
            text-align: right;
        }

        .issue-table {
            border-collapse: collapse;
            margin-top: 30px;
        }

        .issue-table thead th {
            white-space: nowrap;
        }

        .issue-table tr {
            border: 0;
            border-bottom: 1px solid #8c8d8e;
        }

        .issue-table tr.issue-type-row {
            font-weight: bold;
            border-bottom: 0;
        }

        .issue-table tr th {
            text-align: left;
            padding-bottom: 8px;
            padding-right: 8px;
            width: 98%;
        }

        .issue-table tr .issue-path {
            word-wrap: break-word;
            max-width: 700px;
            text-align: left;
            padding-bottom: 8px;
            padding-right: 8px;
            width: 98%;
        }

        .issue-table td {
            padding-right: 8px;
        }

        .issue-table td.nowrap {
            white-space: nowrap;
        }

        .column-table {
            width: 100%;
        }

        .column-table>tbody>tr>td {
            width: 50%;
            vertical-align: top;
        }

        .column-table>tbody>tr>td>.value {
            display: flex;
        }

        .user-icon {
            padding-right: 6px;
        }

        .recorded-icon {
            padding-right: 10px;
        }

        .url {
            word-break: break-all;
        }

        .section.details h1 {
            margin-bottom: 30px;
        }

        .section.details h2 {
            font-size: 14px;
            font-weight: bold;
            color: #4d5155;
            margin: 0;
        }

        .section.details h3 {
            font-size: 14px;
            font-weight: normal;
            color: #8c8d8e;
            margin-top: 30px;
            margin-bottom: 20px;
        }

        .center {
            text-align: center;
        }

        .no-bullets ul {
            list-style: none;
            padding-left: 0;
        }

        .issue-container {
            margin-bottom: 30px;
        }

        .standalone-section {
            break-before: page;
        }

        .issue-type-container .issue-container {
            break-before: page;
        }

        .standalone-section+.issue-type-container .issue-container:first-child {
            break-before: avoid;
        }

        @media print {
            body {
                color: #000000;
                position: relative;
            }

            .report {
                width: calc(100% - 80px);
            }

            h1,
            h2,
            a {
                color: #000000;
            }

            .no-print {
                display: none;
            }
        }

        .request-response {
            overflow: auto;
            border-radius: 7px;
            border: 1px solid #dce3e5;
            padding: 8px;
            color: #000000;
        }

        .request-response .highlight {
            background-color: rgba(255, 102, 51, 0.4);
        }

        .request-response,
        .code,
        pre {
            font-family: "Courier New", Courier, monospace;
            line-height: 16px;
            word-break: break-all;
            white-space: pre-wrap;
        }

        .request-response .snip {
            margin-top: 20px;
            margin-bottom: 20px;
            position: relative;
            border-top: 1px dashed #cbd0d1;
        }

        .request-response .snip>span {
            position: absolute;
            top: -13px;
            display: inline-block;
            width: 100%;
            text-align: center;
        }

        .request-response .snip>span>span {
            color: #8c8d8e;
            padding: 0 8px;
            background-color: #ffffff;
        }

        .evidence-container {
            break-inside: avoid;
        }
    </style>
</head>

<body>

    <div class="report">
        <div class="line"></div>

        <div class="header">
            <div class="text">
                <h1>Scan Remediation</h1>
                <h2>Report</h2>
            </div>
            <img src=''
                width="210" height="60" />
        </div>

        <div class="section no-margin">
            <span class="label">Generated by Burp Suite Enterprise Edition | 2024-11-06 12:41 PM</span>
        </div>

        <div class="section">
            <table class="column-table">
                <tbody>
                    <tr>
                        <td>
                            <div class="label">Site name:</div>
                            <div class="value">m</div>
                            <div class="label">Scanned:</div>
                            <table>
                                <tbody>
                                    <tr>
                                        <td>
                                            <div class="value">Start:</div>
                                        </td>
                                        <td>
                                            <div class="value">2024-11-05 4:59 PM</div>
                                        </td>
                                    </tr>
                                    <tr>
                                        <td>
                                            <div class="value">End:</div>
                                        </td>
                                        <td>
                                            <div class="value">2024-11-05 5:13 PM</div>
                                        </td>
                                    </tr>
                                </tbody>
                            </table>
                            <div class="label">Duration:</div>
                            <div class="value">13m 53s</div>
                            <div class="label">Status:</div>
                            <div class="value">Completed</div>
                        </td>
                        <td>
                            <div class="label">Start URLs:</div>
                            <div class="value url">https://instance.example.com/fe/m3/m-login</div>

                            <div class="label">In-scope URL prefixes:</div>
                            <div class="value url">https://instance.example.com/fe/m3/</div>
                            <div class="value url">https://instance.example.com/m/v3/</div>

                            <div class="label">Application logins:</div>
                            <div class="value"> <img
                                    src=''
                                    width="22" height="22" class="recorded-icon" /> DEMOMX m login only (no clerk)</div>

                            <div class="label">Reference:</div>

                            <div class="value">
                                #150
                            </div>
                        </td>
                    </tr>
                </tbody>
            </table>
        </div>

        <div class="section">
            <table class="column-table">
                <tbody>
                    <tr>
                        <td>
                            <h2>Issues by severity</h2>
                            <table class="info-table">
                                <tbody>
                                    <tr>
                                        <td class="name">High:</td>
                                        <td class="value">0</td>
                                    </tr>
                                    <tr>
                                        <td class="name">Medium:</td>
                                        <td class="value">0</td>
                                    </tr>
                                    <tr>
                                        <td class="name">Low:</td>
                                        <td class="value">11</td>
                                    </tr>
                                    <tr>
                                        <td class="name">Information:</td>
                                        <td class="value">44</td>
                                    </tr>
                                    <tr>
                                        <td class="name">Total issues found:</td>
                                        <td class="value">55</td>
                                    </tr>
                                </tbody>
                            </table>
                        </td>
                        <td>
                            <h2>Scan statistics</h2>
                            <table class="info-table">
                                <tbody>
                                    <tr>
                                        <td class="name">Discovered URLs:</td>
                                        <td class="value">44</td>
                                    </tr>
                                    <tr>
                                        <td class="name">Audited URLs without errors:</td>
                                        <td class="value">9</td>
                                    </tr>
                                    <tr>
                                        <td class="name">Audited URLs with errors:</td>
                                        <td class="value">1</td>
                                    </tr>
                                    <tr>
                                        <td class="name">Requests made:</td>
                                        <td class="value">12354</td>
                                    </tr>
                                    <tr>
                                        <td class="name">Network errors:</td>
                                        <td class="value">28</td>
                                    </tr>
                                </tbody>
                            </table>
                        </td>
                    </tr>
                </tbody>
            </table>
        </div>

        <div class="section divider"></div>

        <div class="section standalone-section">
            <h1>Issues found on https://instance.example.com</h1>

            <table class='issue-table'>
                <thead>
                    <tr>
                        <th>URLs By issue type</th>
                        <th>Severity</th>
                        <th>Confidence</th>
                        <th class="no-print">More detail</th>
                    </tr>
                </thead>
                <tbody>
                    <tr class="issue-type-row">
                        <td colspan="4">Strict transport security not enforced [7]</td>
                    </tr>

                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Low</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#7459896704422157312">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/action-log
                        </td>
                        <td>Low</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#2208045381316932608">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/event-log
                        </td>
                        <td>Low</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#3310329974499847168">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/login-m-by-name
                        </td>
                        <td>Low</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#8930014484270623744">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/request-m-password-reset
                        </td>
                        <td>Low</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#5267572311222231040">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/translations
                        </td>
                        <td>Low</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#8897869992152202240">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/translations/locales
                        </td>
                        <td>Low</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#2544375508483323904">&gt;&gt;</a></td>
                    </tr>
                    <tr class="issue-type-row">
                        <td colspan="4">Open redirection (DOM-based) [4]</td>
                    </tr>

                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Low</td>
                        <td class="nowrap">Tentative</td>
                        <td class="nowrap center no-print"><a href="#6674428486008773632">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Low</td>
                        <td class="nowrap">Tentative</td>
                        <td class="nowrap center no-print"><a href="#8308469567087165440">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Low</td>
                        <td class="nowrap">Tentative</td>
                        <td class="nowrap center no-print"><a href="#6741367401146747904">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Low</td>
                        <td class="nowrap">Tentative</td>
                        <td class="nowrap center no-print"><a href="#6267850805052795904">&gt;&gt;</a></td>
                    </tr>
                    <tr class="issue-type-row">
                        <td colspan="4">TLS certificate [1]</td>
                    </tr>

                    <tr>
                        <td class="issue-path issue-link">
                            /
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#3527817892229159936">&gt;&gt;</a></td>
                    </tr>
                    <tr class="issue-type-row">
                        <td colspan="4">Content security policy: allows untrusted script execution [7]</td>
                    </tr>

                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#5259898011373310976">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/action-log
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#4657103024505977856">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/event-log
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#902521611952553984">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/login-m-by-name
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#6264510907054532608">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/request-m-password-reset
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#1529192591484086272">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/translations
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#3808026467961441280">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/translations/locales
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#4466300982206924800">&gt;&gt;</a></td>
                    </tr>
                    <tr class="issue-type-row">
                        <td colspan="4">Content security policy: allows untrusted style execution [7]</td>
                    </tr>

                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#2695716473583569920">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/action-log
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#1298103128246460416">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/event-log
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#2014798415321718784">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/login-m-by-name
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#1922984841418255360">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/request-m-password-reset
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#8450741944245941248">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/translations
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#3555706921975993344">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/translations/locales
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#2057881140009319424">&gt;&gt;</a></td>
                    </tr>
                    <tr class="issue-type-row">
                        <td colspan="4">Content security policy: allows form hijacking [7]</td>
                    </tr>

                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#8357691155950076928">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/action-log
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#4549316367934383104">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/event-log
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#6701390394372629504">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/login-m-by-name
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#5123150992306434048">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/request-m-password-reset
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#6598663798538817536">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/translations
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#7695309936584174592">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/translations/locales
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#3054733144918620160">&gt;&gt;</a></td>
                    </tr>
                    <tr class="issue-type-row">
                        <td colspan="4">Cross-origin resource sharing [6]</td>
                    </tr>

                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/action-log
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#8763174910093391872">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/event-log
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#5925852801819709440">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/login-m-by-name
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#5857278075795971072">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/request-m-password-reset
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#1427808413525564416">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/translations
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#8711212538224995328">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/translations/locales
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#5779334575193283584">&gt;&gt;</a></td>
                    </tr>
                    <tr class="issue-type-row">
                        <td colspan="4">Cross-origin resource sharing: arbitrary origin trusted [6]</td>
                    </tr>

                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/action-log
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#8820756364458124288">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/event-log
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#530498929544584192">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/login-m-by-name
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#5900011248769263616">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/actions/request-m-password-reset
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#1161946040846946304">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/translations
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#8827647893815513088">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /m/v3/translations/locales
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#3408790232388447232">&gt;&gt;</a></td>
                    </tr>
                    <tr class="issue-type-row">
                        <td colspan="4">Robots.txt file [1]</td>
                    </tr>

                    <tr>
                        <td class="issue-path issue-link">
                            /robots.txt
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#1403797905824836608">&gt;&gt;</a></td>
                    </tr>
                    <tr class="issue-type-row">
                        <td colspan="4">Cacheable HTTPS response [1]</td>
                    </tr>

                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#8892116954353746944">&gt;&gt;</a></td>
                    </tr>
                    <tr class="issue-type-row">
                        <td colspan="4">DOM data manipulation (DOM-based) [6]</td>
                    </tr>

                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Firm</td>
                        <td class="nowrap center no-print"><a href="#5632626482916889600">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Firm</td>
                        <td class="nowrap center no-print"><a href="#2020756852015877120">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Firm</td>
                        <td class="nowrap center no-print"><a href="#547516727130662912">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Firm</td>
                        <td class="nowrap center no-print"><a href="#3668057833940777984">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Firm</td>
                        <td class="nowrap center no-print"><a href="#7064533534944179200">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Firm</td>
                        <td class="nowrap center no-print"><a href="#7933681146442143744">&gt;&gt;</a></td>
                    </tr>
                </tbody>
            </table>
        </div>
        <div class="section divider"></div>

        <div class="section standalone-section">
            <h1>Issues found on http://instance.example.com</h1>

            <table class='issue-table'>
                <thead>
                    <tr>
                        <th>URLs By issue type</th>
                        <th>Severity</th>
                        <th>Confidence</th>
                        <th class="no-print">More detail</th>
                    </tr>
                </thead>
                <tbody>
                    <tr class="issue-type-row">
                        <td colspan="4">Input returned in response (reflected) [2]</td>
                    </tr>

                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#3588084604190000128">&gt;&gt;</a></td>
                    </tr>
                    <tr>
                        <td class="issue-path issue-link">
                            /fe/m3/m-login
                        </td>
                        <td>Info</td>
                        <td class="nowrap">Certain</td>
                        <td class="nowrap center no-print"><a href="#6924794329102809088">&gt;&gt;</a></td>
                    </tr>
                </tbody>
            </table>
        </div>

        <div class="section divider"></div>

        <div class="section details standalone-section">
            <h1>More details for https://instance.example.com</h1>
        </div>

        <div class="section details issue-type-container">
            <div class="issue-container">
                <a name="7459896704422157312"></a>
                <h2>Strict transport security not enforced</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>
                    Issue description:
                </h3>
                <div>
                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
                        attacker able to modify a legitimate user's network traffic could bypass the application's use
                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
                        sslstrip tool automates this process. </p>
                    <p>
                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
                        the victim's network traffic.This scenario typically occurs when a client communicates with the
                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
                        to prevent this. An attacker situated in the user's ISP or the application's hosting
                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
                        target any connection made over the Internet's core infrastructure. </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
                        seconds that browsers should remember that the site should only be accessed using HTTPS.
                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
                        accessed the application will never have seen the HSTS header, and will therefore still be
                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
                                Strict Transport Security</a></li>
                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
                                Credentials</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
                                Attack</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="2208045381316932608"></a>
                <h2>Strict transport security not enforced</h2>
                <a href="">/m/v3/actions/action-log</a>

                <h3>
                    Issue description:
                </h3>
                <div>
                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
                        attacker able to modify a legitimate user's network traffic could bypass the application's use
                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
                        sslstrip tool automates this process. </p>
                    <p>
                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
                        the victim's network traffic.This scenario typically occurs when a client communicates with the
                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
                        to prevent this. An attacker situated in the user's ISP or the application's hosting
                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
                        target any connection made over the Internet's core infrastructure. </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
                        seconds that browsers should remember that the site should only be accessed using HTTPS.
                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
                        accessed the application will never have seen the HSTS header, and will therefore still be
                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
                                Strict Transport Security</a></li>
                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
                                Credentials</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
                                Attack</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/action-log HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 118

                        {&quot;name&quot;:&quot;mLoginAttempt&quot;,&quot;category&quot;:&quot;mConsolefe&quot;,&quot;data&quot;:{&quot;deviceType&quot;:&quot;Desktop&quot;,&quot;mName&quot;:&quot;&quot;}}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:46 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="3310329974499847168"></a>
                <h2>Strict transport security not enforced</h2>
                <a href="">/m/v3/actions/event-log</a>

                <h3>
                    Issue description:
                </h3>
                <div>
                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
                        attacker able to modify a legitimate user's network traffic could bypass the application's use
                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
                        sslstrip tool automates this process. </p>
                    <p>
                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
                        the victim's network traffic.This scenario typically occurs when a client communicates with the
                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
                        to prevent this. An attacker situated in the user's ISP or the application's hosting
                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
                        target any connection made over the Internet's core infrastructure. </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
                        seconds that browsers should remember that the site should only be accessed using HTTPS.
                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
                        accessed the application will never have seen the HSTS header, and will therefore still be
                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
                                Strict Transport Security</a></li>
                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
                                Credentials</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
                                Attack</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/event-log HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 279

                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsoleEvents&quot;,&quot;timestamp&quot;:1730843990,&quot;data&quot;:{&quot;currentURL&quot;:&quot;https://instance.example.com/fe/m3/m-login&quot;,&quot;previou
                        <div class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:50 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="8930014484270623744"></a>
                <h2>Strict transport security not enforced</h2>
                <a href="">/m/v3/actions/login-m-by-name</a>

                <h3>
                    Issue description:
                </h3>
                <div>
                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
                        attacker able to modify a legitimate user's network traffic could bypass the application's use
                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
                        sslstrip tool automates this process. </p>
                    <p>
                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
                        the victim's network traffic.This scenario typically occurs when a client communicates with the
                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
                        to prevent this. An attacker situated in the user's ISP or the application's hosting
                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
                        target any connection made over the Internet's core infrastructure. </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
                        seconds that browsers should remember that the site should only be accessed using HTTPS.
                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
                        accessed the application will never have seen the HSTS header, and will therefore still be
                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
                                Strict Transport Security</a></li>
                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
                                Credentials</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
                                Attack</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/login-m-by-name HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Authorization: Bearer undefined
                        Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 33

                        {&quot;mName&quot;:&quot;&quot;,&quot;password&quot;:&quot;&quot;}</div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:46 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="5267572311222231040"></a>
                <h2>Strict transport security not enforced</h2>
                <a href="">/m/v3/actions/request-m-password-reset</a>

                <h3>
                    Issue description:
                </h3>
                <div>
                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
                        attacker able to modify a legitimate user's network traffic could bypass the application's use
                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
                        sslstrip tool automates this process. </p>
                    <p>
                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
                        the victim's network traffic.This scenario typically occurs when a client communicates with the
                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
                        to prevent this. An attacker situated in the user's ISP or the application's hosting
                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
                        target any connection made over the Internet's core infrastructure. </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
                        seconds that browsers should remember that the site should only be accessed using HTTPS.
                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
                        accessed the application will never have seen the HSTS header, and will therefore still be
                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
                                Strict Transport Security</a></li>
                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
                                Credentials</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
                                Attack</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/request-m-password-reset HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/request-reset-password
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 94

                        {&quot;mName&quot;:&quot;BoSUhm&quot;,&quot;mEmail&quot;:&quot;BoSUhmuz@burpcollaborator.net&quot;,&quot;mPhone&quot;:null}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:36 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="8897869992152202240"></a>
                <h2>Strict transport security not enforced</h2>
                <a href="">/m/v3/translations</a>

                <h3>
                    Issue description:
                </h3>
                <div>
                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
                        attacker able to modify a legitimate user's network traffic could bypass the application's use
                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
                        sslstrip tool automates this process. </p>
                    <p>
                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
                        the victim's network traffic.This scenario typically occurs when a client communicates with the
                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
                        to prevent this. An attacker situated in the user's ISP or the application's hosting
                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
                        target any connection made over the Internet's core infrastructure. </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
                        seconds that browsers should remember that the site should only be accessed using HTTPS.
                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
                        accessed the application will never have seen the HSTS header, and will therefore still be
                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
                                Strict Transport Security</a></li>
                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
                                Credentials</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
                                Attack</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /m/v3/translations?locale=en_US&amp;category=m-fe HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0
                        Referer: https://instance.example.com/fe/m3/m-login
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:39 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="2544375508483323904"></a>
                <h2>Strict transport security not enforced</h2>
                <a href="">/m/v3/translations/locales</a>

                <h3>
                    Issue description:
                </h3>
                <div>
                    <p> The application fails to prevent users from connecting to it over unencrypted connections. An
                        attacker able to modify a legitimate user's network traffic could bypass the application's use
                        of SSL/TLS encryption, and use the application as a platform for attacks against its users. This
                        attack is performed by rewriting HTTPS links as HTTP, so that if a targeted user follows a link
                        to the site from an HTTP page, their browser never attempts to use an encrypted connection. The
                        sslstrip tool automates this process. </p>
                    <p>
                        To exploit this vulnerability, an attacker must be suitably positioned to intercept and modify
                        the victim's network traffic.This scenario typically occurs when a client communicates with the
                        server over an insecure connection such as public Wi-Fi, or a corporate or home network that is
                        shared with a compromised computer. Common defenses such as switched networks are not sufficient
                        to prevent this. An attacker situated in the user's ISP or the application's hosting
                        infrastructure could also perform this attack. Note that an advanced adversary could potentially
                        target any connection made over the Internet's core infrastructure. </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The application should instruct web browsers to only access the application using HTTPS. To do
                        this, enable HTTP Strict Transport Security (HSTS) by adding a response header with the name
                        'Strict-Transport-Security' and the value 'max-age=expireTime', where expireTime is the time in
                        seconds that browsers should remember that the site should only be accessed using HTTPS.
                        Consider adding the 'includeSubDomains' flag if appropriate.</p>
                    <p>Note that because HSTS is a &quot;trust on first use&quot; (TOFU) protocol, a user who has never
                        accessed the application will never have seen the HSTS header, and will therefore still be
                        vulnerable to SSL stripping attacks. To mitigate this risk, you can optionally add the 'preload'
                        flag to the HSTS header, and submit the domain for review by browser vendors.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security">HTTP
                                Strict Transport Security</a></li>
                        <li><a href="https://github.com/moxie0/sslstrip">sslstrip</a></li>
                        <li><a href="https://hstspreload.appspot.com/">HSTS Preload Form</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/523.html">CWE-523: Unprotected Transport of
                                Credentials</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/94.html">CAPEC-94: Man in the Middle
                                Attack</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/157.html">CAPEC-157: Sniffing Attacks</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /m/v3/translations/locales?category=m-fe HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Referer: https://instance.example.com/fe/m3/m-login
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:24 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
        </div>

        <div class="section divider"></div>
        <div class="section details issue-type-container">
            <div class="issue-container">
                <a name="6674428486008773632"></a>
                <h2>Open redirection (DOM-based)</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    The application may be vulnerable to DOM-based open redirection. Data is read from
                    <b>location.href</b> and passed to <b>xhr.send</b>.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>

                    <p>DOM-based open redirection arises when a script writes controllable data into the target of a
                        redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a
                        URL that, if visited by another application user, will cause a redirection to an arbitrary
                        external domain. This behavior can be leveraged to facilitate phishing attacks against users of
                        the application. The ability to use an authentic application URL, targeting the correct domain
                        and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack
                        because many users, even if they verify these features, will not notice the subsequent
                        redirection to a different domain.</p>
                    <p><b>Note:</b> If an attacker is able to control the start of the string that is passed to the
                        redirection API, then it may be possible to escalate this vulnerability into a JavaScript
                        injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary
                        script code when the URL is processed by the browser.</p>

                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
                        execution paths to determine whether this vulnerability is indeed present, or whether
                        mitigations are in place that would prevent exploitation.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically
                        set redirection targets using data that originated from any untrusted source. If the desired
                        functionality of the application means that this behavior is unavoidable, then defenses must be
                        implemented within the client-side code to prevent malicious data from introducing an arbitrary
                        URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that
                        are permitted redirection targets, and strictly validating the target against this list before
                        performing the redirection.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/dom-based/open-redirection">Web Security
                                Academy: Open redirection (DOM-based)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601: URL Redirection to
                                Untrusted Site ('Open Redirect')</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Dynamic analysis:</h3>
                    <div>
                        <p>
                            Data is read from <b>location.href</b> and passed to <b>xhr.send</b>.
                        </p>
                        <ul>
                            <li>
                                <p>The following value was injected into the source:</p>
                                <pre
                                    class="code">https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'"/iepuap2p8w/&gt;&lt;iepuap2p8w/\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'"/iepuap2p8w/&gt;&lt;iepuap2p8w/\&gt;fwqsx8nplw&amp;</pre>
                            </li>

                            <li>
                                <p>The previous value reached the sink:</p>
                                <pre
                                    class="code">{"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Cannot read properties of null (reading 'once')","name":"TypeError","constructor_name":"TypeError","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;","query_string":"?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\&gt;ba6kcvqqrk&amp;","user_ip":"$remote_ip"},"client":{"runtime_ms":53,"timestamp":1730843997,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"TypeError","message":"Cannot read properties of null (reading 'once')","description":"Uncaught TypeError: Cannot read properties of null (reading 'once')"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202367,"method":"[anonymous]","colno":10},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202406,"method":"InfoReceiver.doXhr","colno":11}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"}]},"context":""}}</pre>
                            </li>

                            <li>
                                <p>The stack trace at source was:</p>
                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
at get href (&lt;anonymous&gt;:1:249544)
at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42576)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)
at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)
at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)</pre>
                            </li>

                            <li>
                                <p>The stack trace at the sink was:</p>
                                <pre class="code">at Object.XMhUr (&lt;anonymous&gt;:1:544502)
at _0x13dcf0 (&lt;anonymous&gt;:1:558761)
at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)
at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
at https://instance.example.com/fe/js/cv-script.js:201791:32574</pre>
                            </li>

                        </ul>
                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="8308469567087165440"></a>
                <h2>Open redirection (DOM-based)</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    The application may be vulnerable to DOM-based open redirection. Data is read from
                    <b>location.search</b> and passed to <b>xhr.send</b>.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>

                    <p>DOM-based open redirection arises when a script writes controllable data into the target of a
                        redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a
                        URL that, if visited by another application user, will cause a redirection to an arbitrary
                        external domain. This behavior can be leveraged to facilitate phishing attacks against users of
                        the application. The ability to use an authentic application URL, targeting the correct domain
                        and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack
                        because many users, even if they verify these features, will not notice the subsequent
                        redirection to a different domain.</p>
                    <p><b>Note:</b> If an attacker is able to control the start of the string that is passed to the
                        redirection API, then it may be possible to escalate this vulnerability into a JavaScript
                        injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary
                        script code when the URL is processed by the browser.</p>

                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
                        execution paths to determine whether this vulnerability is indeed present, or whether
                        mitigations are in place that would prevent exploitation.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically
                        set redirection targets using data that originated from any untrusted source. If the desired
                        functionality of the application means that this behavior is unavoidable, then defenses must be
                        implemented within the client-side code to prevent malicious data from introducing an arbitrary
                        URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that
                        are permitted redirection targets, and strictly validating the target against this list before
                        performing the redirection.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/dom-based/open-redirection">Web Security
                                Academy: Open redirection (DOM-based)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601: URL Redirection to
                                Untrusted Site ('Open Redirect')</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Dynamic analysis:</h3>
                    <div>
                        <p>
                            Data is read from <b>location.search</b> and passed to <b>xhr.send</b>.
                        </p>
                        <ul>
                            <li>
                                <p>The following value was injected into the source:</p>
                                <pre
                                    class="code">?kpiqhi5l29=kpiqhi5l29%27%22`'"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\&gt;ba6kcvqqrk&amp;</pre>
                            </li>

                            <li>
                                <p>The previous value reached the sink:</p>
                                <pre
                                    class="code">{"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Cannot read properties of null (reading 'once')","name":"TypeError","constructor_name":"TypeError","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;","query_string":"?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\&gt;ba6kcvqqrk&amp;","user_ip":"$remote_ip"},"client":{"runtime_ms":53,"timestamp":1730843997,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"TypeError","message":"Cannot read properties of null (reading 'once')","description":"Uncaught TypeError: Cannot read properties of null (reading 'once')"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202367,"method":"[anonymous]","colno":10},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":202406,"method":"InfoReceiver.doXhr","colno":11}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"}]},"context":""}}</pre>
                            </li>

                            <li>
                                <p>The stack trace at source was:</p>
                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
at get search (&lt;anonymous&gt;:1:248279)
at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42607)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)
at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)
at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)</pre>
                            </li>

                            <li>
                                <p>The stack trace at the sink was:</p>
                                <pre class="code">at Object.XMhUr (&lt;anonymous&gt;:1:544502)
at _0x13dcf0 (&lt;anonymous&gt;:1:558761)
at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)
at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
at https://instance.example.com/fe/js/cv-script.js:201791:32574</pre>
                            </li>

                        </ul>
                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="6741367401146747904"></a>
                <h2>Open redirection (DOM-based)</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    The application may be vulnerable to DOM-based open redirection. Data is read from
                    <b>location.href</b> and passed to <b>xhr.send</b>.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>

                    <p>DOM-based open redirection arises when a script writes controllable data into the target of a
                        redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a
                        URL that, if visited by another application user, will cause a redirection to an arbitrary
                        external domain. This behavior can be leveraged to facilitate phishing attacks against users of
                        the application. The ability to use an authentic application URL, targeting the correct domain
                        and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack
                        because many users, even if they verify these features, will not notice the subsequent
                        redirection to a different domain.</p>
                    <p><b>Note:</b> If an attacker is able to control the start of the string that is passed to the
                        redirection API, then it may be possible to escalate this vulnerability into a JavaScript
                        injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary
                        script code when the URL is processed by the browser.</p>

                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
                        execution paths to determine whether this vulnerability is indeed present, or whether
                        mitigations are in place that would prevent exploitation.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically
                        set redirection targets using data that originated from any untrusted source. If the desired
                        functionality of the application means that this behavior is unavoidable, then defenses must be
                        implemented within the client-side code to prevent malicious data from introducing an arbitrary
                        URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that
                        are permitted redirection targets, and strictly validating the target against this list before
                        performing the redirection.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/dom-based/open-redirection">Web Security
                                Academy: Open redirection (DOM-based)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601: URL Redirection to
                                Untrusted Site ('Open Redirect')</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Dynamic analysis:</h3>
                    <div>
                        <p>
                            Data is read from <b>location.href</b> and passed to <b>xhr.send</b>.
                        </p>
                        <ul>
                            <li>
                                <p>The following value was injected into the source:</p>
                                <pre
                                    class="code">https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'"/bih4qyzpvt/&gt;&lt;bih4qyzpvt/\&gt;sbxdhx44wf&amp;#bih4qyzpvt=bih4qyzpvt%27%22`'"/bih4qyzpvt/&gt;&lt;bih4qyzpvt/\&gt;sbxdhx44wf&amp;</pre>
                            </li>

                            <li>
                                <p>The previous value reached the sink:</p>
                                <pre
                                    class="code">{"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Request failed with status code 500","name":"Error","constructor_name":"Error","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/&gt;&lt;bih4qyzpvt/\\&gt;sbxdhx44wf&amp;#bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/&gt;&lt;bih4qyzpvt/\\&gt;sbxdhx44wf&amp;","query_string":"?esux3absmq=esux3absmq%27%22`'\"/esux3absmq/&gt;&lt;esux3absmq/\\&gt;z0k5afa1h6&amp;","user_ip":"$remote_ip"},"client":{"runtime_ms":497,"timestamp":1730843998,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"Error","message":"Request failed with status code 500","description":"Request failed with status code 500"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":50688,"method":"XMLHttpRequest.onloadend","colno":7},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51664,"method":"settle","colno":12},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51368,"method":"createError","colno":15}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.href"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)\n    at get href (&lt;anonymous&gt;:1:249544)\n    at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42576)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (&lt;anonymous&gt;:1:544502)\n    at _0x13dcf0 (&lt;anonymous&gt;:1:558761)\n    at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\\\&gt;ba6kcvqqrk&amp;\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\&gt;ba6kcvqqrk&amp;"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.search"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)\n    at get search (&lt;anonymous&gt;:1:248279)\n    at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42607)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (&lt;anonymous&gt;:1:544502)\n    at _0x13dcf0 (&lt;anonymous&gt;:1:558761)\n    at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\\\&gt;ba6kcvqqrk&amp;\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997220,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997179","status_code":0,"start_time_ms":1730843997180,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997221","status_code":0,"start_time_ms":1730843997221,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"info","type":"network","timestamp_ms":1730843997482,"body":{"method":"POST","url":"https://api.rollbar.com:443/api/1/item/","status_code":200,"start_time_ms":1730843997213,"end_time_ms":1730843997482,"request_content_type":"application/json","subtype":"xhr","response_content_type":"application/json; charset=utf-8"},"source":"client"},{"level":"error","type":"error","timestamp_ms":1730843997563,"body":{"message":"Request failed with status code 500","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"},"source":"client","uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9"}]},"context":""}}</pre>
                            </li>

                            <li>
                                <p>The stack trace at source was:</p>
                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
at get href (&lt;anonymous&gt;:1:249544)
at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42576)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
at m.handleUnhandledRejection (https://instance.example.com/fe/js/cv-script.js:201791:19920)
at n (https://instance.example.com/fe/js/cv-script.js:201791:36330)</pre>
                            </li>

                            <li>
                                <p>The stack trace at the sink was:</p>
                                <pre class="code">at Object.XMhUr (&lt;anonymous&gt;:1:544502)
at _0x13dcf0 (&lt;anonymous&gt;:1:558761)
at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)
at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
at https://instance.example.com/fe/js/cv-script.js:201791:32574</pre>
                            </li>

                        </ul>
                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="6267850805052795904"></a>
                <h2>Open redirection (DOM-based)</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    The application may be vulnerable to DOM-based open redirection. Data is read from
                    <b>location.search</b> and passed to <b>xhr.send</b>.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>

                    <p>DOM-based open redirection arises when a script writes controllable data into the target of a
                        redirection in an unsafe way. An attacker may be able to use the vulnerability to construct a
                        URL that, if visited by another application user, will cause a redirection to an arbitrary
                        external domain. This behavior can be leveraged to facilitate phishing attacks against users of
                        the application. The ability to use an authentic application URL, targeting the correct domain
                        and with a valid SSL certificate (if SSL is used), lends credibility to the phishing attack
                        because many users, even if they verify these features, will not notice the subsequent
                        redirection to a different domain.</p>
                    <p><b>Note:</b> If an attacker is able to control the start of the string that is passed to the
                        redirection API, then it may be possible to escalate this vulnerability into a JavaScript
                        injection attack, by using a URL with the javascript: pseudo-protocol to execute arbitrary
                        script code when the URL is processed by the browser.</p>

                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
                        execution paths to determine whether this vulnerability is indeed present, or whether
                        mitigations are in place that would prevent exploitation.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The most effective way to avoid DOM-based open redirection vulnerabilities is not to dynamically
                        set redirection targets using data that originated from any untrusted source. If the desired
                        functionality of the application means that this behavior is unavoidable, then defenses must be
                        implemented within the client-side code to prevent malicious data from introducing an arbitrary
                        URL as a redirection target. In general, this is best achieved by using a whitelist of URLs that
                        are permitted redirection targets, and strictly validating the target against this list before
                        performing the redirection.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/dom-based/open-redirection">Web Security
                                Academy: Open redirection (DOM-based)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/601.html">CWE-601: URL Redirection to
                                Untrusted Site ('Open Redirect')</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Dynamic analysis:</h3>
                    <div>
                        <p>
                            Data is read from <b>location.search</b> and passed to <b>xhr.send</b>.
                        </p>
                        <ul>
                            <li>
                                <p>The following value was injected into the source:</p>
                                <pre
                                    class="code">?esux3absmq=esux3absmq%27%22`'"/esux3absmq/&gt;&lt;esux3absmq/\&gt;z0k5afa1h6&amp;</pre>
                            </li>

                            <li>
                                <p>The previous value reached the sink:</p>
                                <pre
                                    class="code">{"access_token":"ed227e6e767e4584a5b3c10dc8b68c2a","data":{"environment":"development","level":"error","endpoint":"api.rollbar.com/api/1/item/","platform":"browser","framework":"browser-js","language":"javascript","server":{},"uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9","notifier":{"name":"rollbar-browser-js","version":"2.26.2","configured_options":{"captureUncaught":true,"captureUnhandledRejections":true,"payload":{"environment":"development"}},"diagnostic":{"original_arg_types":["string","error","undefined"],"is_uncaught":true,"raw_error":{"message":"Request failed with status code 500","name":"Error","constructor_name":"Error","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"}}},"request":{"url":"https://instance.example.com/fe/m3/m-login?bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/&gt;&lt;bih4qyzpvt/\\&gt;sbxdhx44wf&amp;#bih4qyzpvt=bih4qyzpvt%27%22`'\"/bih4qyzpvt/&gt;&lt;bih4qyzpvt/\\&gt;sbxdhx44wf&amp;","query_string":"?esux3absmq=esux3absmq%27%22`'\"/esux3absmq/&gt;&lt;esux3absmq/\\&gt;z0k5afa1h6&amp;","user_ip":"$remote_ip"},"client":{"runtime_ms":497,"timestamp":1730843998,"javascript":{"browser":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36","language":"en-US","cookie_enabled":true,"screen":{"width":800,"height":600},"plugins":[]}},"body":{"trace":{"exception":{"class":"Error","message":"Request failed with status code 500","description":"Request failed with status code 500"},"frames":[{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":50688,"method":"XMLHttpRequest.onloadend","colno":7},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51664,"method":"settle","colno":12},{"filename":"https://instance.example.com/fe/js/cv-script.js","lineno":51368,"method":"createError","colno":15}]},"telemetry":[{"level":"error","type":"error","timestamp_ms":1730843997119,"body":{"message":"Cannot read properties of null (reading 'once')","stack":"TypeError: Cannot read properties of null (reading 'once')\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\n    at https://instance.example.com/fe/js/cv-script.js:202367:10"},"source":"client","uuid":"a4231093-6d2e-4dbb-9f7f-7f0c97fde382"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\&gt;fwqsx8nplw&amp;"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997217,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.href"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)\n    at get href (&lt;anonymous&gt;:1:249544)\n    at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42576)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (&lt;anonymous&gt;:1:544502)\n    at _0x13dcf0 (&lt;anonymous&gt;:1:558761)\n    at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\\\&gt;ba6kcvqqrk&amp;\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997218,"body":{"message":"--DynamicJavaScriptAnalysis from JS:DOM XSS found"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Context: NaN.queryString"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Tag name: "},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Original url: https://instance.example.com/fe/m3/m-login"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Generated url: https://instance.example.com/fe/m3/m-login?kpiqhi5l29=kpiqhi5l29%27%22`'\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\&gt;ba6kcvqqrk&amp;"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:PoC:Unable to generate PoC"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source identified as: location.search"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Source Stack trace:     at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)\n    at get search (&lt;anonymous&gt;:1:248279)\n    at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42607)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)\n    at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)\n    at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)\n    at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)\n    at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)\n    at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)\n    at m.handleUncaughtException (https://instance.example.com/fe/js/cv-script.js:201791:18878)\n    at n (https://instance.example.com/fe/js/cv-script.js:201791:35409)\n    at i (https://instance.example.com/fe/js/cv-script.js:201791:35806)"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink identified as: xhr.send"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink Stack trace:     at Object.XMhUr (&lt;anonymous&gt;:1:544502)\n    at _0x13dcf0 (&lt;anonymous&gt;:1:558761)\n    at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)\n    at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)\n    at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)\n    at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)\n    at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)\n    at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)\n    at https://instance.example.com/fe/js/cv-script.js:201791:32574"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997219,"body":{"message":"--DynamicJavaScriptAnalysis from JS:Sink value: {\"access_token\":\"ed227e6e767e4584a5b3c10dc8b68c2a\",\"data\":{\"environment\":\"development\",\"level\":\"error\",\"endpoint\":\"api.rollbar.com/api/1/item/\",\"platform\":\"browser\",\"framework\":\"browser-js\",\"language\":\"javascript\",\"server\":{},\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\",\"notifier\":{\"name\":\"rollbar-browser-js\",\"version\":\"2.26.2\",\"configured_options\":{\"captureUncaught\":true,\"captureUnhandledRejections\":true,\"payload\":{\"environment\":\"development\"}},\"diagnostic\":{\"original_arg_types\":[\"string\",\"error\",\"undefined\"],\"is_uncaught\":true,\"raw_error\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"name\":\"TypeError\",\"constructor_name\":\"TypeError\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"}}},\"request\":{\"url\":\"https://instance.example.com/fe/m3/m-login?iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;#iepuap2p8w=iepuap2p8w%27%22`'\\\"/iepuap2p8w/&gt;&lt;iepuap2p8w/\\\\&gt;fwqsx8nplw&amp;\",\"query_string\":\"?kpiqhi5l29=kpiqhi5l29%27%22`'\\\"/kpiqhi5l29/&gt;&lt;kpiqhi5l29/\\\\&gt;ba6kcvqqrk&amp;\",\"user_ip\":\"$remote_ip\"},\"client\":{\"runtime_ms\":53,\"timestamp\":1730843997,\"javascript\":{\"browser\":\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36\",\"language\":\"en-US\",\"cookie_enabled\":true,\"screen\":{\"width\":800,\"height\":600},\"plugins\":[]}},\"body\":{\"trace\":{\"exception\":{\"class\":\"TypeError\",\"message\":\"Cannot read properties of null (reading 'once')\",\"description\":\"Uncaught TypeError: Cannot read properties of null (reading 'once')\"},\"frames\":[{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202367,\"method\":\"[anonymous]\",\"colno\":10},{\"filename\":\"https://instance.example.com/fe/js/cv-script.js\",\"lineno\":202406,\"method\":\"InfoReceiver.doXhr\",\"colno\":11}]},\"telemetry\":[{\"level\":\"error\",\"type\":\"error\",\"timestamp_ms\":1730843997119,\"body\":{\"message\":\"Cannot read properties of null (reading 'once')\",\"stack\":\"TypeError: Cannot read properties of null (reading 'once')\\n    at InfoReceiver.doXhr (https://instance.example.com/fe/js/cv-script.js:202406:11)\\n    at https://instance.example.com/fe/js/cv-script.js:202367:10\"},\"source\":\"client\",\"uuid\":\"a4231093-6d2e-4dbb-9f7f-7f0c97fde382\"}]},\"context\":\"\"}}"},"source":"client"},{"level":"log","type":"log","timestamp_ms":1730843997220,"body":{"message":"--DynamicJavaScriptAnalysis from JS:-------------------------"},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997179","status_code":0,"start_time_ms":1730843997180,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"error","type":"network","timestamp_ms":1730843997410,"body":{"method":"GET","url":"https://localhost:8000/sockjs-node/info?t=1730843997221","status_code":0,"start_time_ms":1730843997221,"end_time_ms":1730843997410,"subtype":"xhr","response_content_type":null},"source":"client"},{"level":"info","type":"network","timestamp_ms":1730843997482,"body":{"method":"POST","url":"https://api.rollbar.com:443/api/1/item/","status_code":200,"start_time_ms":1730843997213,"end_time_ms":1730843997482,"request_content_type":"application/json","subtype":"xhr","response_content_type":"application/json; charset=utf-8"},"source":"client"},{"level":"error","type":"error","timestamp_ms":1730843997563,"body":{"message":"Request failed with status code 500","stack":"Error: Request failed with status code 500\n    at createError (https://instance.example.com/fe/js/cv-script.js:51368:15)\n    at settle (https://instance.example.com/fe/js/cv-script.js:51664:12)\n    at XMLHttpRequest.onloadend (https://instance.example.com/fe/js/cv-script.js:50688:7)"},"source":"client","uuid":"8ea547f7-4ead-4638-bd75-97e9d3af07a9"}]},"context":""}}</pre>
                            </li>

                            <li>
                                <p>The stack trace at source was:</p>
                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
at get search (&lt;anonymous&gt;:1:248279)
at Array.&lt;anonymous&gt; (https://instance.example.com/fe/js/cv-script.js:201791:42607)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.addBaseInfo (https://instance.example.com/fe/js/cv-script.js:201791:42473)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.ensureItemHasSomethingToSay (https://instance.example.com/fe/js/cv-script.js:201791:42150)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.handleItemWithError (https://instance.example.com/fe/js/cv-script.js:201791:42001)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at Array.handleDomException (https://instance.example.com/fe/js/cv-script.js:201791:41530)
at s (https://instance.example.com/fe/js/cv-script.js:201791:31979)
at o._applyTransforms (https://instance.example.com/fe/js/cv-script.js:201791:31998)
at o.log (https://instance.example.com/fe/js/cv-script.js:201791:31700)
at a._log (https://instance.example.com/fe/js/cv-script.js:201791:24343)
at a.log (https://instance.example.com/fe/js/cv-script.js:201791:23115)
at m.handleUnhandledRejection (https://instance.example.com/fe/js/cv-script.js:201791:19920)
at n (https://instance.example.com/fe/js/cv-script.js:201791:36330)</pre>
                            </li>

                            <li>
                                <p>The stack trace at the sink was:</p>
                                <pre class="code">at Object.XMhUr (&lt;anonymous&gt;:1:544502)
at _0x13dcf0 (&lt;anonymous&gt;:1:558761)
at _0xdc6a5f.&lt;computed&gt;._0x13cc4d.oknbI._0x3e2633.XMLHttpRequest.&lt;computed&gt; (&lt;anonymous&gt;:1:458938)
at XMLHttpRequest.send (https://instance.example.com/fe/js/cv-script.js:201791:62448)
at t.exports (https://instance.example.com/fe/js/cv-script.js:201791:39384)
at s._makeRequest (https://instance.example.com/fe/js/cv-script.js:201791:37748)
at s._makeZoneRequest (https://instance.example.com/fe/js/cv-script.js:201791:37505)
at s.post (https://instance.example.com/fe/js/cv-script.js:201791:36989)
at https://instance.example.com/fe/js/cv-script.js:201791:32574</pre>
                            </li>

                        </ul>
                    </div>
                </div>
            </div>
        </div>

        <div class="section divider"></div>
        <div class="section details issue-type-container">
            <div class="issue-container">
                <a name="3527817892229159936"></a>
                <h2>TLS certificate</h2>
                <a href="">/</a>

                <h3>Issue detail:</h3>
                <div>
                    The server presented a valid, trusted TLS certificate. This issue is purely
                    informational.<br><br>The server presented the following certificates:<br><br>
                    <h4>Server certificate</h4>
                    <table>
                        <tr>
                            <td><b>Issued to:</b>&nbsp;&nbsp;</td>
                            <td>*.sandbox.example.com</td>
                        </tr>
                        <tr>
                            <td><b>Issued by:</b>&nbsp;&nbsp;</td>
                            <td>Amazon RSA 2048 M02</td>
                        </tr>
                        <tr>
                            <td><b>Valid from:</b>&nbsp;&nbsp;</td>
                            <td>Wed Feb 28 00:00:00 UTC 2024</td>
                        </tr>
                        <tr>
                            <td><b>Valid to:</b>&nbsp;&nbsp;</td>
                            <td>Sat Mar 29 23:59:59 UTC 2025</td>
                        </tr>
                    </table>
                    <h4>Certificate chain #1</h4>
                    <table>
                        <tr>
                            <td><b>Issued to:</b>&nbsp;&nbsp;</td>
                            <td>Amazon RSA 2048 M02</td>
                        </tr>
                        <tr>
                            <td><b>Issued by:</b>&nbsp;&nbsp;</td>
                            <td>Amazon Root CA 1</td>
                        </tr>
                        <tr>
                            <td><b>Valid from:</b>&nbsp;&nbsp;</td>
                            <td>Tue Aug 23 22:25:30 UTC 2022</td>
                        </tr>
                        <tr>
                            <td><b>Valid to:</b>&nbsp;&nbsp;</td>
                            <td>Fri Aug 23 22:25:30 UTC 2030</td>
                        </tr>
                    </table>
                    <h4>Certificate chain #2</h4>
                    <table>
                        <tr>
                            <td><b>Issued to:</b>&nbsp;&nbsp;</td>
                            <td>Amazon Root CA 1</td>
                        </tr>
                        <tr>
                            <td><b>Issued by:</b>&nbsp;&nbsp;</td>
                            <td>Starfield Services Root Certificate Authority - G2</td>
                        </tr>
                        <tr>
                            <td><b>Valid from:</b>&nbsp;&nbsp;</td>
                            <td>Mon May 25 12:00:00 UTC 2015</td>
                        </tr>
                        <tr>
                            <td><b>Valid to:</b>&nbsp;&nbsp;</td>
                            <td>Thu Dec 31 01:00:00 UTC 2037</td>
                        </tr>
                    </table>
                    <h4>Certificate chain #3</h4>
                    <table>
                        <tr>
                            <td><b>Issued to:</b>&nbsp;&nbsp;</td>
                            <td>Starfield Services Root Certificate Authority - G2</td>
                        </tr>
                        <tr>
                            <td><b>Issued by:</b>&nbsp;&nbsp;</td>
                            <td>Starfield Class 2 Certification Authority</td>
                        </tr>
                        <tr>
                            <td><b>Valid from:</b>&nbsp;&nbsp;</td>
                            <td>Wed Sep 02 00:00:00 UTC 2009</td>
                        </tr>
                        <tr>
                            <td><b>Valid to:</b>&nbsp;&nbsp;</td>
                            <td>Wed Jun 28 17:39:16 UTC 2034</td>
                        </tr>
                    </table>
                    <h4>Certificate chain #4</h4>
                    <table>
                        <tr>
                            <td><b>Issued to:</b>&nbsp;&nbsp;</td>
                            <td>Starfield Class 2 Certification Authority</td>
                        </tr>
                        <tr>
                            <td><b>Issued by:</b>&nbsp;&nbsp;</td>
                            <td>Starfield Class 2 Certification Authority</td>
                        </tr>
                        <tr>
                            <td><b>Valid from:</b>&nbsp;&nbsp;</td>
                            <td>Tue Jun 29 17:39:16 UTC 2004</td>
                        </tr>
                        <tr>
                            <td><b>Valid to:</b>&nbsp;&nbsp;</td>
                            <td>Thu Jun 29 17:39:16 UTC 2034</td>
                        </tr>
                    </table>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>TLS (or SSL) helps to protect the confidentiality and integrity of information in transit between
                        the browser and server, and to provide authentication of the server's identity. To serve this
                        purpose, the server must present an TLS certificate that is valid for the server's hostname, is
                        issued by a trusted authority and is valid for the current date. If any one of these
                        requirements is not met, TLS connections to the server will not provide the full protection for
                        which TLS is designed.</p>
                    <p>It should be noted that various attacks exist against TLS in general, and in the context of HTTPS
                        web connections in particular. It may be possible for a determined and suitably-positioned
                        attacker to compromise TLS connections without user detection even when a valid TLS certificate
                        is used. </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://wiki.mozilla.org/Security/Server_Side_TLS">SSL/TLS Configuration Guide</a>
                        </li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/295.html">CWE-295: Improper Certificate
                                Validation</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/326.html">CWE-326: Inadequate Encryption
                                Strength</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/327.html">CWE-327: Use of a Broken or Risky
                                Cryptographic Algorithm</a></li>
                    </ul>
                </div>

            </div>
        </div>

        <div class="section divider"></div>
        <div class="section details issue-type-container">
            <div class="issue-container">
                <a name="5259898011373310976"></a>
                <h2>Content security policy: allows untrusted script execution</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
                        result, it may fail to mitigate cross-site scripting attacks.</p>
                    <p>The policy has the following issues:</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                
                <div>
                    <p>
                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
                        wildcards in script directives. Use a secure, random
                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
                                Security Academy: What is XSS?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
                                Security Academy: Mitigating XSS attacks using CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
                                Academy: Preventing XSS</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="4657103024505977856"></a>
                <h2>Content security policy: allows untrusted script execution</h2>
                <a href="">/m/v3/actions/action-log</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
                        result, it may fail to mitigate cross-site scripting attacks.</p>
                    <p>The policy has the following issues:</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>
                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
                        wildcards in script directives. Use a secure, random
                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
                                Security Academy: What is XSS?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
                                Security Academy: Mitigating XSS attacks using CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
                                Academy: Preventing XSS</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/action-log HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 107

                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsolefe&quot;,&quot;data&quot;:{&quot;deviceType&quot;:&quot;Desktop&quot;}}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:26 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="902521611952553984"></a>
                <h2>Content security policy: allows untrusted script execution</h2>
                <a href="">/m/v3/actions/event-log</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
                        result, it may fail to mitigate cross-site scripting attacks.</p>
                    <p>The policy has the following issues:</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>
                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
                        wildcards in script directives. Use a secure, random
                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
                                Security Academy: What is XSS?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
                                Security Academy: Mitigating XSS attacks using CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
                                Academy: Preventing XSS</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/event-log HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 279

                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsoleEvents&quot;,&quot;timestamp&quot;:1730843990,&quot;data&quot;:{&quot;currentURL&quot;:&quot;https://instance.example.com/fe/m3/m-login&quot;,&quot;previou
                        <div class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:50 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="6264510907054532608"></a>
                <h2>Content security policy: allows untrusted script execution</h2>
                <a href="">/m/v3/actions/login-m-by-name</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
                        result, it may fail to mitigate cross-site scripting attacks.</p>
                    <p>The policy has the following issues:</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>
                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
                        wildcards in script directives. Use a secure, random
                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
                                Security Academy: What is XSS?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
                                Security Academy: Mitigating XSS attacks using CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
                                Academy: Preventing XSS</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/login-m-by-name HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Authorization: Bearer undefined
                        Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 33

                        {&quot;mName&quot;:&quot;&quot;,&quot;password&quot;:&quot;&quot;}</div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:46 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="1529192591484086272"></a>
                <h2>Content security policy: allows untrusted script execution</h2>
                <a href="">/m/v3/actions/request-m-password-reset</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
                        result, it may fail to mitigate cross-site scripting attacks.</p>
                    <p>The policy has the following issues:</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>
                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
                        wildcards in script directives. Use a secure, random
                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
                                Security Academy: What is XSS?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
                                Security Academy: Mitigating XSS attacks using CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
                                Academy: Preventing XSS</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/request-m-password-reset HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/request-reset-password
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 94

                        {&quot;mName&quot;:&quot;BoSUhm&quot;,&quot;mEmail&quot;:&quot;BoSUhmuz@burpcollaborator.net&quot;,&quot;mPhone&quot;:null}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:36 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="3808026467961441280"></a>
                <h2>Content security policy: allows untrusted script execution</h2>
                <a href="">/m/v3/translations</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
                        result, it may fail to mitigate cross-site scripting attacks.</p>
                    <p>The policy has the following issues:</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>
                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
                        wildcards in script directives. Use a secure, random
                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
                                Security Academy: What is XSS?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
                                Security Academy: Mitigating XSS attacks using CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
                                Academy: Preventing XSS</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /m/v3/translations?locale=en_US&amp;category=m-fe HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0
                        Referer: https://instance.example.com/fe/m3/m-login
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:39 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="4466300982206924800"></a>
                <h2>Content security policy: allows untrusted script execution</h2>
                <a href="">/m/v3/translations/locales</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted JavaScript from being executed. As a
                        result, it may fail to mitigate cross-site scripting attacks.</p>
                    <p>The policy has the following issues:</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary scripts to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary scripts to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>
                        Mitigate cross-site scripting by avoiding 'unsafe-inline', 'unsafe-eval', data: URLs, and global
                        wildcards in script directives. Use a secure, random
                        nonce of at least 8 characters 'nonce-RANDOM' to prevent untrusted JavaScript execution.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting#what-is-cross-site-scripting-xss">Web
                                Security Academy: What is XSS?</a></li>
                        <li><a
                                href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy#mitigating-xss-attacks-using-csp">Web
                                Security Academy: Mitigating XSS attacks using CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/preventing">Web Security
                                Academy: Preventing XSS</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/79.html">CWE-79: Improper Neutralization of
                                Input During Web Page Generation ('Cross-site Scripting')</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/80.html">CWE-80: Improper Neutralization of
                                Script-Related HTML Tags in a Web Page (Basic XSS)</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/588.html">CAPEC-588: DOM-Based XSS</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /m/v3/translations/locales?category=m-fe HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Referer: https://instance.example.com/fe/m3/m-login
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:24 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
        </div>

        <div class="section divider"></div>
        <div class="section details issue-type-container">
            <div class="issue-container">
                <a name="2695716473583569920"></a>
                <h2>Content security policy: allows untrusted style execution</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
                        to mitigate style based data exfiltration.</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>
                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
                        wildcards in style directives.
                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
                                Blind CSS exfiltration</a></li>
                        <li><a
                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
                                Research: Offensive CSS research</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
                                Cross-Domain Theft</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="1298103128246460416"></a>
                <h2>Content security policy: allows untrusted style execution</h2>
                <a href="">/m/v3/actions/action-log</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
                        to mitigate style based data exfiltration.</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>
                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
                        wildcards in style directives.
                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
                                Blind CSS exfiltration</a></li>
                        <li><a
                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
                                Research: Offensive CSS research</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
                                Cross-Domain Theft</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/action-log HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 107

                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsolefe&quot;,&quot;data&quot;:{&quot;deviceType&quot;:&quot;Desktop&quot;}}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:26 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="2014798415321718784"></a>
                <h2>Content security policy: allows untrusted style execution</h2>
                <a href="">/m/v3/actions/event-log</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
                        to mitigate style based data exfiltration.</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>
                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
                        wildcards in style directives.
                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
                                Blind CSS exfiltration</a></li>
                        <li><a
                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
                                Research: Offensive CSS research</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
                                Cross-Domain Theft</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/event-log HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1245037457.1730843989; _ga_0CGDK6Q0X4=GS1.1.1730843988.1.0.1730843990.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 279

                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsoleEvents&quot;,&quot;timestamp&quot;:1730843990,&quot;data&quot;:{&quot;currentURL&quot;:&quot;https://instance.example.com/fe/m3/m-login&quot;,&quot;previou
                        <div class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:50 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="1922984841418255360"></a>
                <h2>Content security policy: allows untrusted style execution</h2>
                <a href="">/m/v3/actions/login-m-by-name</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
                        to mitigate style based data exfiltration.</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>
                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
                        wildcards in style directives.
                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
                                Blind CSS exfiltration</a></li>
                        <li><a
                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
                                Research: Offensive CSS research</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
                                Cross-Domain Theft</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/login-m-by-name HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Authorization: Bearer undefined
                        Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 33

                        {&quot;mName&quot;:&quot;&quot;,&quot;password&quot;:&quot;&quot;}</div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:46 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="8450741944245941248"></a>
                <h2>Content security policy: allows untrusted style execution</h2>
                <a href="">/m/v3/actions/request-m-password-reset</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
                        to mitigate style based data exfiltration.</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>
                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
                        wildcards in style directives.
                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
                                Blind CSS exfiltration</a></li>
                        <li><a
                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
                                Research: Offensive CSS research</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
                                Cross-Domain Theft</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/request-m-password-reset HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/request-reset-password
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 94

                        {&quot;mName&quot;:&quot;BoSUhm&quot;,&quot;mEmail&quot;:&quot;BoSUhmuz@burpcollaborator.net&quot;,&quot;mPhone&quot;:null}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:36 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="3555706921975993344"></a>
                <h2>Content security policy: allows untrusted style execution</h2>
                <a href="">/m/v3/translations</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
                        to mitigate style based data exfiltration.</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>
                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
                        wildcards in style directives.
                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
                                Blind CSS exfiltration</a></li>
                        <li><a
                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
                                Research: Offensive CSS research</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
                                Cross-Domain Theft</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /m/v3/translations?locale=en_US&amp;category=m-fe HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0
                        Referer: https://instance.example.com/fe/m3/m-login
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:39 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="2057881140009319424"></a>
                <h2>Content security policy: allows untrusted style execution</h2>
                <a href="">/m/v3/translations/locales</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy fails to prevent untrusted style execution. As a result, it may fail
                        to mitigate style based data exfiltration.</p>
                    <p>The policy allows global wildcard URLs which allows arbitrary styles to be executed.</p>
                    <p>The policy allows data: URLs which allows arbitrary styles to be executed.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>
                        Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global
                        wildcards in style directives.
                        Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://portswigger.net/research/blind-css-exfiltration">PortSwigger Research:
                                Blind CSS exfiltration</a></li>
                        <li><a
                                href="https://portswigger.net/research/detecting-and-exploiting-path-relative-stylesheet-import-prssi-vulnerabilities#badcss">PortSwigger
                                Research: Offensive CSS research</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/159.html">CWE-159: Failure to Sanitize
                                Special Element</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/468.html">CAPEC-468: Generic Cross-Browser
                                Cross-Domain Theft</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /m/v3/translations/locales?category=m-fe HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Referer: https://instance.example.com/fe/m3/m-login
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:24 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
        </div>

        <div class="section divider"></div>
        <div class="section details issue-type-container">
            <div class="issue-container">
                <a name="8357691155950076928"></a>
                <h2>Content security policy: allows form hijacking</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
                        from a manager and sending them to an attacker's server upon form submission.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>We recommend using the form-action directive in the CSP response header to control form post
                        destinations. If no form actions are used, set form-action to 'none' to block
                        untrusted forms. For applications without external form URLs, use 'self' to allow only
                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
                        be aware this lets attackers submit to these external resources.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="4549316367934383104"></a>
                <h2>Content security policy: allows form hijacking</h2>
                <a href="">/m/v3/actions/action-log</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
                        from a manager and sending them to an attacker's server upon form submission.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>We recommend using the form-action directive in the CSP response header to control form post
                        destinations. If no form actions are used, set form-action to 'none' to block
                        untrusted forms. For applications without external form URLs, use 'self' to allow only
                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
                        be aware this lets attackers submit to these external resources.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/action-log HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1789135595.1730843965; _ga_0CGDK6Q0X4=GS1.1.1730843965.1.0.1730843965.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 107

                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsolefe&quot;,&quot;data&quot;:{&quot;deviceType&quot;:&quot;Desktop&quot;}}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:26 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="6701390394372629504"></a>
                <h2>Content security policy: allows form hijacking</h2>
                <a href="">/m/v3/actions/event-log</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
                        from a manager and sending them to an attacker's server upon form submission.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>We recommend using the form-action directive in the CSP response header to control form post
                        destinations. If no form actions are used, set form-action to 'none' to block
                        untrusted forms. For applications without external form URLs, use 'self' to allow only
                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
                        be aware this lets attackers submit to these external resources.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/event-log HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 301

                        {&quot;name&quot;:&quot;mLoginAttempted&quot;,&quot;category&quot;:&quot;mConsoleEvents&quot;,&quot;timestamp&quot;:1730843986,&quot;data&quot;:{&quot;currentURL&quot;:&quot;https://instance.example.com/fe/m3/m-login&quot;,&quot;previousURL&quot;
                        <div class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:46 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="5123150992306434048"></a>
                <h2>Content security policy: allows form hijacking</h2>
                <a href="">/m/v3/actions/login-m-by-name</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
                        from a manager and sending them to an attacker's server upon form submission.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>We recommend using the form-action directive in the CSP response header to control form post
                        destinations. If no form actions are used, set form-action to 'none' to block
                        untrusted forms. For applications without external form URLs, use 'self' to allow only
                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
                        be aware this lets attackers submit to these external resources.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/login-m-by-name HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Authorization: Bearer undefined
                        Cookie: _ga=GA1.1.2130470854.1730843985; _ga_0CGDK6Q0X4=GS1.1.1730843984.1.0.1730843986.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 33

                        {&quot;mName&quot;:&quot;&quot;,&quot;password&quot;:&quot;&quot;}</div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:46 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="6598663798538817536"></a>
                <h2>Content security policy: allows form hijacking</h2>
                <a href="">/m/v3/actions/request-m-password-reset</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
                        from a manager and sending them to an attacker's server upon form submission.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>We recommend using the form-action directive in the CSP response header to control form post
                        destinations. If no form actions are used, set form-action to 'none' to block
                        untrusted forms. For applications without external form URLs, use 'self' to allow only
                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
                        be aware this lets attackers submit to these external resources.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/request-m-password-reset HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1294211964.1730843974; _ga_0CGDK6Q0X4=GS1.1.1730843974.1.1.1730843975.0.0.0
                        Origin: https://instance.example.com
                        Referer: https://instance.example.com/fe/m3/request-reset-password
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 94

                        {&quot;mName&quot;:&quot;BoSUhm&quot;,&quot;mEmail&quot;:&quot;BoSUhmuz@burpcollaborator.net&quot;,&quot;mPhone&quot;:null}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:36 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="7695309936584174592"></a>
                <h2>Content security policy: allows form hijacking</h2>
                <a href="">/m/v3/translations</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
                        from a manager and sending them to an attacker's server upon form submission.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>We recommend using the form-action directive in the CSP response header to control form post
                        destinations. If no form actions are used, set form-action to 'none' to block
                        untrusted forms. For applications without external form URLs, use 'self' to allow only
                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
                        be aware this lets attackers submit to these external resources.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /m/v3/translations?locale=en_US&amp;category=m-fe HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.1871968749.1730843978; _ga_0CGDK6Q0X4=GS1.1.1730843977.1.1.1730843978.0.0.0
                        Referer: https://instance.example.com/fe/m3/m-login
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:39 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="3054733144918620160"></a>
                <h2>Content security policy: allows form hijacking</h2>
                <a href="">/m/v3/translations/locales</a>

                <h3>Issue detail:</h3>
                <div>
                    <p>The content security policy doesn't prevent form hijacking, where attackers with HTML injection
                        hijack forms using action attributes. This can lead to credential theft by autofilling passwords
                        from a manager and sending them to an attacker's server upon form submission.</p>
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Content Security Policy (CSP) is a security mechanism designed to mitigate cross-site scripting
                        attacks by disabling dangerous behaviours such as untrusted JavaScript execution.
                        Websites can specify their security policy in a response header or meta tag, enabling
                        fine-grained control over dangerous features like scripts and stylesheets.
                    </p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>We recommend using the form-action directive in the CSP response header to control form post
                        destinations. If no form actions are used, set form-action to 'none' to block
                        untrusted forms. For applications without external form URLs, use 'self' to allow only
                        same-origin URLs. If needed, allow list hosts for external URL form submissions, but
                        be aware this lets attackers submit to these external resources.
                    </p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a
                                href="https://portswigger.net/research/stealing-passwords-from-infosec-mastodon-without-bypassing-csp">PortSwigger
                                Research: Stealing passwords from infosec Mastodon - without bypassing CSP</a></li>
                        <li><a href="https://portswigger.net/web-security/cross-site-scripting/content-security-policy">Web
                                Security Academy: What is CSP?</a></li>
                        <li><a href="https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP">Content Security Policy
                                (CSP)</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /m/v3/translations/locales?category=m-fe HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Referer: https://instance.example.com/fe/m3/m-login
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 21:59:24 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: <span class="highlight">frame-ancestors &#39;self&#39;
                            https://staging.example.com</span>
                        Access-Control-Allow-Origin: *
                        Access-Control-Allow-Credentials: true
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
        </div>

        <div class="section divider"></div>
        <div class="section details issue-type-container">
            <div class="issue-container">
                <a name="8763174910093391872"></a>
                <h2>Cross-origin resource sharing</h2>
                <a href="">/m/v3/actions/action-log</a>

                <h3>Issue detail:</h3>
                <div>
                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this
                    request.<br><br>The response uses a wildcard in the Access-Control-Allow-Origin header and also
                    specifies that credentials are allowed. Note that browsers do not allow this combination, and the
                    Access-Control-Allow-Credentials header will be ignored.<br><br>Since the Vary: Origin header was
                    not present in the response, reverse proxies and intermediate servers may cache it. This may enable
                    an attacker to carry out cache poisoning attacks.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
                        other domains can perform two-way interaction with the domain that publishes the policy. The
                        policy is fine-grained and can apply access controls per-request based on the URL and other
                        features of the request.</p>
                    <p>If another domain is allowed by the policy, then that domain can potentially attack users of the
                        application. If a user is logged in to the application, and visits a domain allowed by the
                        policy, then any malicious content running on that domain can potentially retrieve content from
                        the application, and sometimes carry out actions within the security context of the logged in
                        user.</p>
                    <p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within
                        that domain could potentially be leveraged by an attacker to exploit the trust relationship and
                        attack the application that allows access. CORS policies on pages containing sensitive
                        information should be reviewed to determine whether it is appropriate for the application to
                        trust both the intentions and security posture of any domains granted access.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>Any inappropriate domains should be removed from the CORS policy.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
                                resource sharing (CORS)</a></li>
                        <li><a
                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
                                CORS Misconfigurations</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
                                Cross-domain Whitelist</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/action-log HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.705270236.1730844023; _ga_0CGDK6Q0X4=GS1.1.1730844022.1.0.1730844028.0.0.0
                        <span class="highlight">Origin: https://instance.example.com</span>
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 118

                        {&quot;name&quot;:&quot;mLoginAttempt&quot;,&quot;category&quot;:&quot;mConsolefe&quot;,&quot;data&quot;:{&quot;deviceType&quot;:&quot;Desktop&quot;,&quot;mName&quot;:&quot;&quot;}}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 22:00:29 GMT
                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        <span class="highlight">Access-Control-Allow-Origin: *</span>
                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="5925852801819709440"></a>
                <h2>Cross-origin resource sharing</h2>
                <a href="">/m/v3/actions/event-log</a>

                <h3>Issue detail:</h3>
                <div>
                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this
                    request.<br><br>The response uses a wildcard in the Access-Control-Allow-Origin header and also
                    specifies that credentials are allowed. Note that browsers do not allow this combination, and the
                    Access-Control-Allow-Credentials header will be ignored.<br><br>Since the Vary: Origin header was
                    not present in the response, reverse proxies and intermediate servers may cache it. This may enable
                    an attacker to carry out cache poisoning attacks.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
                        other domains can perform two-way interaction with the domain that publishes the policy. The
                        policy is fine-grained and can apply access controls per-request based on the URL and other
                        features of the request.</p>
                    <p>If another domain is allowed by the policy, then that domain can potentially attack users of the
                        application. If a user is logged in to the application, and visits a domain allowed by the
                        policy, then any malicious content running on that domain can potentially retrieve content from
                        the application, and sometimes carry out actions within the security context of the logged in
                        user.</p>
                    <p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within
                        that domain could potentially be leveraged by an attacker to exploit the trust relationship and
                        attack the application that allows access. CORS policies on pages containing sensitive
                        information should be reviewed to determine whether it is appropriate for the application to
                        trust both the intentions and security posture of any domains granted access.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>Any inappropriate domains should be removed from the CORS policy.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
                                resource sharing (CORS)</a></li>
                        <li><a
                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
                                CORS Misconfigurations</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
                                Cross-domain Whitelist</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/event-log HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.567957676.1730844025; _ga_0CGDK6Q0X4=GS1.1.1730844024.1.0.1730844029.0.0.0
                        <span class="highlight">Origin: https://instance.example.com</span>
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 279

                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsoleEvents&quot;,&quot;timestamp&quot;:1730844029,&quot;data&quot;:{&quot;currentURL&quot;:&quot;https://instance.example.com/fe/m3/m-login&quot;,&quot;previou
                        <div class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 22:00:30 GMT
                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        <span class="highlight">Access-Control-Allow-Origin: *</span>
                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="5857278075795971072"></a>
                <h2>Cross-origin resource sharing</h2>
                <a href="">/m/v3/actions/login-m-by-name</a>

                <h3>Issue detail:</h3>
                <div>
                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this
                    request.<br><br>The response uses a wildcard in the Access-Control-Allow-Origin header and also
                    specifies that credentials are allowed. Note that browsers do not allow this combination, and the
                    Access-Control-Allow-Credentials header will be ignored.<br><br>Since the Vary: Origin header was
                    not present in the response, reverse proxies and intermediate servers may cache it. This may enable
                    an attacker to carry out cache poisoning attacks.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
                        other domains can perform two-way interaction with the domain that publishes the policy. The
                        policy is fine-grained and can apply access controls per-request based on the URL and other
                        features of the request.</p>
                    <p>If another domain is allowed by the policy, then that domain can potentially attack users of the
                        application. If a user is logged in to the application, and visits a domain allowed by the
                        policy, then any malicious content running on that domain can potentially retrieve content from
                        the application, and sometimes carry out actions within the security context of the logged in
                        user.</p>
                    <p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within
                        that domain could potentially be leveraged by an attacker to exploit the trust relationship and
                        attack the application that allows access. CORS policies on pages containing sensitive
                        information should be reviewed to determine whether it is appropriate for the application to
                        trust both the intentions and security posture of any domains granted access.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>Any inappropriate domains should be removed from the CORS policy.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
                                resource sharing (CORS)</a></li>
                        <li><a
                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
                                CORS Misconfigurations</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
                                Cross-domain Whitelist</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/login-m-by-name HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Authorization: Bearer undefined
                        Cookie: _ga=GA1.1.766182157.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.0.1730844022.0.0.0
                        <span class="highlight">Origin: https://instance.example.com</span>
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 33

                        {&quot;mName&quot;:&quot;&quot;,&quot;password&quot;:&quot;&quot;}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 22:00:23 GMT
                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        <span class="highlight">Access-Control-Allow-Origin: *</span>
                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="1427808413525564416"></a>
                <h2>Cross-origin resource sharing</h2>
                <a href="">/m/v3/actions/request-m-password-reset</a>

                <h3>Issue detail:</h3>
                <div>
                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this
                    request.<br><br>The response uses a wildcard in the Access-Control-Allow-Origin header and also
                    specifies that credentials are allowed. Note that browsers do not allow this combination, and the
                    Access-Control-Allow-Credentials header will be ignored.<br><br>Since the Vary: Origin header was
                    not present in the response, reverse proxies and intermediate servers may cache it. This may enable
                    an attacker to carry out cache poisoning attacks.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
                        other domains can perform two-way interaction with the domain that publishes the policy. The
                        policy is fine-grained and can apply access controls per-request based on the URL and other
                        features of the request.</p>
                    <p>If another domain is allowed by the policy, then that domain can potentially attack users of the
                        application. If a user is logged in to the application, and visits a domain allowed by the
                        policy, then any malicious content running on that domain can potentially retrieve content from
                        the application, and sometimes carry out actions within the security context of the logged in
                        user.</p>
                    <p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within
                        that domain could potentially be leveraged by an attacker to exploit the trust relationship and
                        attack the application that allows access. CORS policies on pages containing sensitive
                        information should be reviewed to determine whether it is appropriate for the application to
                        trust both the intentions and security posture of any domains granted access.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>Any inappropriate domains should be removed from the CORS policy.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
                                resource sharing (CORS)</a></li>
                        <li><a
                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
                                CORS Misconfigurations</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
                                Cross-domain Whitelist</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/request-m-password-reset HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.496830287.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.1.1730844022.0.0.0
                        <span class="highlight">Origin: https://instance.example.com</span>
                        Referer: https://instance.example.com/fe/m3/request-reset-password
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 94

                        {&quot;mName&quot;:&quot;BoSUhm&quot;,&quot;mEmail&quot;:&quot;BoSUhmuz@burpcollaborator.net&quot;,&quot;mPhone&quot;:null}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 22:00:23 GMT
                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        <span class="highlight">Access-Control-Allow-Origin: *</span>
                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="8711212538224995328"></a>
                <h2>Cross-origin resource sharing</h2>
                <a href="">/m/v3/translations</a>

                <h3>Issue detail:</h3>
                <div>
                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this
                    request.<br><br>The response uses a wildcard in the Access-Control-Allow-Origin header and also
                    specifies that credentials are allowed. Note that browsers do not allow this combination, and the
                    Access-Control-Allow-Credentials header will be ignored.<br><br>Since the Vary: Origin header was
                    not present in the response, reverse proxies and intermediate servers may cache it. This may enable
                    an attacker to carry out cache poisoning attacks.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
                        other domains can perform two-way interaction with the domain that publishes the policy. The
                        policy is fine-grained and can apply access controls per-request based on the URL and other
                        features of the request.</p>
                    <p>If another domain is allowed by the policy, then that domain can potentially attack users of the
                        application. If a user is logged in to the application, and visits a domain allowed by the
                        policy, then any malicious content running on that domain can potentially retrieve content from
                        the application, and sometimes carry out actions within the security context of the logged in
                        user.</p>
                    <p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within
                        that domain could potentially be leveraged by an attacker to exploit the trust relationship and
                        attack the application that allows access. CORS policies on pages containing sensitive
                        information should be reviewed to determine whether it is appropriate for the application to
                        trust both the intentions and security posture of any domains granted access.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>Any inappropriate domains should be removed from the CORS policy.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
                                resource sharing (CORS)</a></li>
                        <li><a
                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
                                CORS Misconfigurations</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
                                Cross-domain Whitelist</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /m/v3/translations?locale=en_US&amp;category=m-fe HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.2145941182.1730844052; _ga_0CGDK6Q0X4=GS1.1.1730844051.1.1.1730844054.0.0.0
                        Referer: https://instance.example.com/fe/m3/m-login
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        <span class="highlight">Origin: https://instance.example.com</span>

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 22:04:36 GMT
                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        <span class="highlight">Access-Control-Allow-Origin: *</span>
                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="5779334575193283584"></a>
                <h2>Cross-origin resource sharing</h2>
                <a href="">/m/v3/translations/locales</a>

                <h3>Issue detail:</h3>
                <div>
                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this
                    request.<br><br>The response uses a wildcard in the Access-Control-Allow-Origin header and also
                    specifies that credentials are allowed. Note that browsers do not allow this combination, and the
                    Access-Control-Allow-Credentials header will be ignored.<br><br>Since the Vary: Origin header was
                    not present in the response, reverse proxies and intermediate servers may cache it. This may enable
                    an attacker to carry out cache poisoning attacks.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
                        other domains can perform two-way interaction with the domain that publishes the policy. The
                        policy is fine-grained and can apply access controls per-request based on the URL and other
                        features of the request.</p>
                    <p>If another domain is allowed by the policy, then that domain can potentially attack users of the
                        application. If a user is logged in to the application, and visits a domain allowed by the
                        policy, then any malicious content running on that domain can potentially retrieve content from
                        the application, and sometimes carry out actions within the security context of the logged in
                        user.</p>
                    <p>Even if an allowed domain is not overtly malicious in itself, security vulnerabilities within
                        that domain could potentially be leveraged by an attacker to exploit the trust relationship and
                        attack the application that allows access. CORS policies on pages containing sensitive
                        information should be reviewed to determine whether it is appropriate for the application to
                        trust both the intentions and security posture of any domains granted access.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>Any inappropriate domains should be removed from the CORS policy.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
                                resource sharing (CORS)</a></li>
                        <li><a
                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
                                CORS Misconfigurations</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
                                Cross-domain Whitelist</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /m/v3/translations/locales?category=m-fe HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Referer: https://instance.example.com/fe/m3/m-login
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        <span class="highlight">Origin: https://instance.example.com</span>

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 22:09:09 GMT
                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        <span class="highlight">Access-Control-Allow-Origin: *</span>
                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
        </div>

        <div class="section divider"></div>
        <div class="section details issue-type-container">
            <div class="issue-container">
                <a name="8820756364458124288"></a>
                <h2>Cross-origin resource sharing: arbitrary origin trusted</h2>
                <a href="">/m/v3/actions/action-log</a>

                <h3>Issue detail:</h3>
                <div>
                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request
                    that allows access from any domain.<br><br>The application allowed access from the requested origin
                    <strong>https://aazpkgamubbk.com</strong><br><br>The response uses a wildcard in the
                    Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that
                    browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be
                    ignored.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and
                    intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
                        other domains can perform two-way interaction with the domain that publishes the policy. The
                        policy is fine-grained and can apply access controls per-request based on the URL and other
                        features of the request.</p>
                    <p>
                        Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way
                        interaction by third-party web sites. Unless the response consists only of unprotected public
                        content, this policy is likely to present a security risk.</p>
                    <p>If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be
                        able to carry out privileged actions and retrieve sensitive information. Even if it does not,
                        attackers may be able to bypass any IP-based access controls by proxying through users'
                        browsers.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of
                        trusted domains.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
                                resource sharing (CORS)</a></li>
                        <li><a
                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
                                CORS Misconfigurations</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
                                Cross-domain Whitelist</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/action-log HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.705270236.1730844023; _ga_0CGDK6Q0X4=GS1.1.1730844022.1.0.1730844028.0.0.0
                        <span class="highlight">Origin: https://aazpkgamubbk.com</span>
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 118

                        {&quot;name&quot;:&quot;mLoginAttempt&quot;,&quot;category&quot;:&quot;mConsolefe&quot;,&quot;data&quot;:{&quot;deviceType&quot;:&quot;Desktop&quot;,&quot;mName&quot;:&quot;&quot;}}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 22:08:15 GMT
                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        <span class="highlight">Access-Control-Allow-Origin: *</span>
                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="530498929544584192"></a>
                <h2>Cross-origin resource sharing: arbitrary origin trusted</h2>
                <a href="">/m/v3/actions/event-log</a>

                <h3>Issue detail:</h3>
                <div>
                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request
                    that allows access from any domain.<br><br>The application allowed access from the requested origin
                    <strong>https://nyc.com</strong><br><br>The response uses a wildcard in the
                    Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that
                    browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be
                    ignored.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and
                    intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
                        other domains can perform two-way interaction with the domain that publishes the policy. The
                        policy is fine-grained and can apply access controls per-request based on the URL and other
                        features of the request.</p>
                    <p>
                        Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way
                        interaction by third-party web sites. Unless the response consists only of unprotected public
                        content, this policy is likely to present a security risk.</p>
                    <p>If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be
                        able to carry out privileged actions and retrieve sensitive information. Even if it does not,
                        attackers may be able to bypass any IP-based access controls by proxying through users'
                        browsers.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of
                        trusted domains.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
                                resource sharing (CORS)</a></li>
                        <li><a
                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
                                CORS Misconfigurations</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
                                Cross-domain Whitelist</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/event-log HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.567957676.1730844025; _ga_0CGDK6Q0X4=GS1.1.1730844024.1.0.1730844029.0.0.0
                        <span class="highlight">Origin: https://nyc.com</span>
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 279

                        {&quot;name&quot;:&quot;ForgotPasswordButtonClicked&quot;,&quot;category&quot;:&quot;mConsoleEvents&quot;,&quot;timestamp&quot;:1730844029,&quot;data&quot;:{&quot;currentURL&quot;:&quot;https://instance.example.com/fe/m3/m-login&quot;,&quot;previou
                        <div class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 22:08:55 GMT
                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        <span class="highlight">Access-Control-Allow-Origin: *</span>
                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="5900011248769263616"></a>
                <h2>Cross-origin resource sharing: arbitrary origin trusted</h2>
                <a href="">/m/v3/actions/login-m-by-name</a>

                <h3>Issue detail:</h3>
                <div>
                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request
                    that allows access from any domain.<br><br>The application allowed access from the requested origin
                    <strong>https://zwa.com</strong><br><br>The response uses a wildcard in the
                    Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that
                    browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be
                    ignored.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and
                    intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
                        other domains can perform two-way interaction with the domain that publishes the policy. The
                        policy is fine-grained and can apply access controls per-request based on the URL and other
                        features of the request.</p>
                    <p>
                        Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way
                        interaction by third-party web sites. Unless the response consists only of unprotected public
                        content, this policy is likely to present a security risk.</p>
                    <p>If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be
                        able to carry out privileged actions and retrieve sensitive information. Even if it does not,
                        attackers may be able to bypass any IP-based access controls by proxying through users'
                        browsers.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of
                        trusted domains.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
                                resource sharing (CORS)</a></li>
                        <li><a
                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
                                CORS Misconfigurations</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
                                Cross-domain Whitelist</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/login-m-by-name HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Authorization: Bearer undefined
                        Cookie: _ga=GA1.1.766182157.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.0.1730844022.0.0.0
                        <span class="highlight">Origin: https://zwa.com</span>
                        Referer: https://instance.example.com/fe/m3/m-login
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 33

                        {&quot;mName&quot;:&quot;&quot;,&quot;password&quot;:&quot;&quot;}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 22:08:00 GMT
                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        <span class="highlight">Access-Control-Allow-Origin: *</span>
                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="1161946040846946304"></a>
                <h2>Cross-origin resource sharing: arbitrary origin trusted</h2>
                <a href="">/m/v3/actions/request-m-password-reset</a>

                <h3>Issue detail:</h3>
                <div>
                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request
                    that allows access from any domain.<br><br>The application allowed access from the requested origin
                    <strong>https://wsparhyjqvka.com</strong><br><br>The response uses a wildcard in the
                    Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that
                    browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be
                    ignored.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and
                    intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
                        other domains can perform two-way interaction with the domain that publishes the policy. The
                        policy is fine-grained and can apply access controls per-request based on the URL and other
                        features of the request.</p>
                    <p>
                        Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way
                        interaction by third-party web sites. Unless the response consists only of unprotected public
                        content, this policy is likely to present a security risk.</p>
                    <p>If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be
                        able to carry out privileged actions and retrieve sensitive information. Even if it does not,
                        attackers may be able to bypass any IP-based access controls by proxying through users'
                        browsers.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of
                        trusted domains.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
                                resource sharing (CORS)</a></li>
                        <li><a
                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
                                CORS Misconfigurations</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
                                Cross-domain Whitelist</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">POST /m/v3/actions/request-m-password-reset HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.496830287.1730844017; _ga_0CGDK6Q0X4=GS1.1.1730844017.1.1.1730844022.0.0.0
                        <span class="highlight">Origin: https://wsparhyjqvka.com</span>
                        Referer: https://instance.example.com/fe/m3/request-reset-password
                        Content-Type: application/json
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        Content-Length: 94

                        {&quot;mName&quot;:&quot;BoSUhm&quot;,&quot;mEmail&quot;:&quot;BoSUhmuz@burpcollaborator.net&quot;,&quot;mPhone&quot;:null}
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 22:08:21 GMT
                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        <span class="highlight">Access-Control-Allow-Origin: *</span>
                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="8827647893815513088"></a>
                <h2>Cross-origin resource sharing: arbitrary origin trusted</h2>
                <a href="">/m/v3/translations</a>

                <h3>Issue detail:</h3>
                <div>
                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request
                    that allows access from any domain.<br><br>The application allowed access from the requested origin
                    <strong>https://tjelewarvblp.com</strong><br><br>The response uses a wildcard in the
                    Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that
                    browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be
                    ignored.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and
                    intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
                        other domains can perform two-way interaction with the domain that publishes the policy. The
                        policy is fine-grained and can apply access controls per-request based on the URL and other
                        features of the request.</p>
                    <p>
                        Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way
                        interaction by third-party web sites. Unless the response consists only of unprotected public
                        content, this policy is likely to present a security risk.</p>
                    <p>If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be
                        able to carry out privileged actions and retrieve sensitive information. Even if it does not,
                        attackers may be able to bypass any IP-based access controls by proxying through users'
                        browsers.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of
                        trusted domains.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
                                resource sharing (CORS)</a></li>
                        <li><a
                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
                                CORS Misconfigurations</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
                                Cross-domain Whitelist</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /m/v3/translations?locale=en_US&amp;category=m-fe HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Cookie: _ga=GA1.1.2145941182.1730844052; _ga_0CGDK6Q0X4=GS1.1.1730844051.1.1.1730844054.0.0.0
                        Referer: https://instance.example.com/fe/m3/m-login
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        <span class="highlight">Origin: https://tjelewarvblp.com</span>

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 22:04:37 GMT
                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        <span class="highlight">Access-Control-Allow-Origin: *</span>
                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="3408790232388447232"></a>
                <h2>Cross-origin resource sharing: arbitrary origin trusted</h2>
                <a href="">/m/v3/translations/locales</a>

                <h3>Issue detail:</h3>
                <div>
                    The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request
                    that allows access from any domain.<br><br>The application allowed access from the requested origin
                    <strong>https://pduoenagjukk.com</strong><br><br>The response uses a wildcard in the
                    Access-Control-Allow-Origin header and also specifies that credentials are allowed. Note that
                    browsers do not allow this combination, and the Access-Control-Allow-Credentials header will be
                    ignored.<br><br>Since the Vary: Origin header was not present in the response, reverse proxies and
                    intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>An HTML5 cross-origin resource sharing (CORS) policy controls whether and how content running on
                        other domains can perform two-way interaction with the domain that publishes the policy. The
                        policy is fine-grained and can apply access controls per-request based on the URL and other
                        features of the request.</p>
                    <p>
                        Trusting arbitrary origins effectively disables the same-origin policy, allowing two-way
                        interaction by third-party web sites. Unless the response consists only of unprotected public
                        content, this policy is likely to present a security risk.</p>
                    <p>If the site specifies the header Access-Control-Allow-Credentials: true, third-party sites may be
                        able to carry out privileged actions and retrieve sensitive information. Even if it does not,
                        attackers may be able to bypass any IP-based access controls by proxying through users'
                        browsers.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>Rather than using a wildcard or programmatically verifying supplied origins, use a whitelist of
                        trusted domains.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/cors">Web Security Academy: Cross-origin
                                resource sharing (CORS)</a></li>
                        <li><a
                                href="https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties">Exploiting
                                CORS Misconfigurations</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/942.html">CWE-942: Overly Permissive
                                Cross-domain Whitelist</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /m/v3/translations/locales?category=m-fe HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: application/json, text/plain, */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Referer: https://instance.example.com/fe/m3/m-login
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0
                        <span class="highlight">Origin: https://pduoenagjukk.com</span>

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 500 Internal Server Error
                        Date: Tue, 05 Nov 2024 22:09:12 GMT
                        <span class="highlight">Content-Type: text/html; charset=UTF-8</span>
                        Content-Length: 0
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        <span class="highlight">Access-Control-Allow-Origin: *</span>
                        <span class="highlight">Access-Control-Allow-Credentials: true</span>
                        Access-Control-Max-Age: 86400

                    </div>
                </div>
            </div>
        </div>

        <div class="section divider"></div>
        <div class="section details issue-type-container">
            <div class="issue-container">
                <a name="1403797905824836608"></a>
                <h2>Robots.txt file</h2>
                <a href="">/robots.txt</a>

                <h3>Issue detail:</h3>
                <div>
                    The web server contains a robots.txt file.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>The file robots.txt is used to give instructions to web robots, such as search engine crawlers,
                        about locations within the web site that robots are allowed, or not allowed, to crawl and index.
                    </p>
                    <p>The presence of the robots.txt does not in itself present any kind of security vulnerability.
                        However, it is often used to identify restricted or private areas of a site's contents. The
                        information in the file may therefore help an attacker to map out the site's contents,
                        especially if some of the locations identified are not linked from elsewhere in the site. If the
                        application relies on robots.txt to protect access to these areas, and does not enforce proper
                        access control over them, then this presents a serious vulnerability.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The robots.txt file is not itself a security threat, and its correct use can represent good
                        practice for non-security reasons. You should not assume that all web robots will honor the
                        file's instructions. Rather, assume that attackers will pay close attention to any locations
                        identified in the file. Do not rely on robots.txt to provide any kind of protection over
                        unauthorized access.</p>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/200.html">CWE-200: Information Exposure</a>
                        </li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET <span class="highlight">/robots.txt</span> HTTP/1.1
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept: */*
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/1.1 200 OK
                        Date: Tue, 05 Nov 2024 21:59:51 GMT
                        Content-Type: text/plain
                        Content-Length: 195
                        Connection: close
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        Last-Modified: Tue, 15 Oct 2024 15:56:17 GMT
                        ETag: &quot;c3-62485fe5f1553-gzip&quot;
                        Accept-Ranges: bytes
                        Vary: Accept-Encoding

                        User-agent: *
                        Disallow: /app
                        Disallow: /apidocs/example-app-install.pdf
                        Disallow: /dashboard/
                        Disallow: /m2/
                        Disallow: /m/
                        Disallow: /js/
                        Disallow: /modules/api/fetch-dictionary.php
                    </div>
                </div>
            </div>
        </div>

        <div class="section divider"></div>
        <div class="section details issue-type-container">
            <div class="issue-container">
                <a name="8892116954353746944"></a>
                <h2>Cacheable HTTPS response</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>
                    Issue description:
                </h3>
                <div>
                    <p>Unless directed otherwise, browsers may store a local cached copy of content received from web
                        servers. Some browsers, including Internet Explorer, cache content accessed via HTTPS. If
                        sensitive information in application responses is stored in the local cache, then this may be
                        retrieved by other users who have access to the same computer at a future time.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>Applications should return caching directives instructing browsers not to store local copies of
                        any sensitive data. Often, this can be achieved by configuring the web server to prevent caching
                        for relevant paths within the web root. Alternatively, most web development platforms allow you
                        to control the server's caching directives from within individual scripts. Ideally, the web
                        server should return the following HTTP headers in all responses containing sensitive content:
                    </p>
                    <ul>
                        <li>Cache-control: no-store</li>
                        <li>Pragma: no-cache</li>
                    </ul>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/information-disclosure">Web Security Academy:
                                Information disclosure</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/524.html">CWE-524: Information Exposure
                                Through Caching</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/525.html">CWE-525: Information Exposure
                                Through Browser Caching</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/37.html">CAPEC-37: Retrieve Embedded
                                Sensitive Data</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
            </div>
        </div>

        <div class="section divider"></div>
        <div class="section details issue-type-container">
            <div class="issue-container">
                <a name="5632626482916889600"></a>
                <h2>DOM data manipulation (DOM-based)</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
                    <b>location.pathname</b> and passed to <b>history.replaceState</b>.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
                    <p>DOM data manipulation arises when a script writes controllable data to a field within the DOM
                        that is used within the visible UI or client-side application logic. An attacker may be able to
                        use the vulnerability to construct a URL that, if visited by another application user, will
                        modify the appearance or behavior of the client-side UI. An attacker may be able to leverage
                        this to perform virtual defacement of the application, or possibly to induce the user to perform
                        unintended actions. </p>

                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
                        execution paths to determine whether this vulnerability is indeed present, or whether
                        mitigations are in place that would prevent exploitation.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to
                        dynamically write to DOM data fields any data that originated from any untrusted source. If the
                        desired functionality of the application means that this behavior is unavoidable, then defenses
                        must be implemented within the client-side code to prevent malicious data from being stored. In
                        general, this is best achieved by using a whitelist of permitted values.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/dom-based/dom-data-manipulation">Web Security
                                Academy: DOM data manipulation</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
                                Validation</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/153.html">CAPEC-153: Input Data
                                Manipulation</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Dynamic analysis:</h3>
                    <div>
                        <p>
                            Data is read from <b>location.pathname</b> and passed to <b>history.replaceState</b>.
                        </p>
                        <ul>
                            <li>
                                <p>The following value was injected into the source:</p>
                                <pre
                                    class="code">///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;</pre>
                            </li>

                            <li>
                                <p>The previous value reached the sink:</p>
                                <pre
                                    class="code">https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
                            </li>

                            <li>
                                <p>The stack trace at source was:</p>
                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
at get pathname (&lt;anonymous&gt;:1:249642)
at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:13)
at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at 1 (https://instance.example.com/fe/js/app.js:172609:18)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
at https://instance.example.com/fe/js/app.js:994:18</pre>
                            </li>

                            <li>
                                <p>The stack trace at the sink was:</p>
                                <pre class="code">at Object.dXSzc (&lt;anonymous&gt;:1:107608)
at Object.skeuk (&lt;anonymous&gt;:1:548616)
at History.replaceState (&lt;anonymous&gt;:1:548864)
at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at 1 (https://instance.example.com/fe/js/app.js:172609:18)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)</pre>
                            </li>

                        </ul>
                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="2020756852015877120"></a>
                <h2>DOM data manipulation (DOM-based)</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
                    <b>location.search</b> and passed to <b>history.replaceState</b>.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
                    <p>DOM data manipulation arises when a script writes controllable data to a field within the DOM
                        that is used within the visible UI or client-side application logic. An attacker may be able to
                        use the vulnerability to construct a URL that, if visited by another application user, will
                        modify the appearance or behavior of the client-side UI. An attacker may be able to leverage
                        this to perform virtual defacement of the application, or possibly to induce the user to perform
                        unintended actions. </p>

                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
                        execution paths to determine whether this vulnerability is indeed present, or whether
                        mitigations are in place that would prevent exploitation.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to
                        dynamically write to DOM data fields any data that originated from any untrusted source. If the
                        desired functionality of the application means that this behavior is unavoidable, then defenses
                        must be implemented within the client-side code to prevent malicious data from being stored. In
                        general, this is best achieved by using a whitelist of permitted values.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/dom-based/dom-data-manipulation">Web Security
                                Academy: DOM data manipulation</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
                                Validation</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/153.html">CAPEC-153: Input Data
                                Manipulation</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Dynamic analysis:</h3>
                    <div>
                        <p>
                            Data is read from <b>location.search</b> and passed to <b>history.replaceState</b>.
                        </p>
                        <ul>
                            <li>
                                <p>The following value was injected into the source:</p>
                                <pre
                                    class="code">?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;</pre>
                            </li>

                            <li>
                                <p>The previous value reached the sink:</p>
                                <pre
                                    class="code">https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
                            </li>

                            <li>
                                <p>The stack trace at source was:</p>
                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
at get search (&lt;anonymous&gt;:1:248279)
at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:23)
at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at 1 (https://instance.example.com/fe/js/app.js:172609:18)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
at https://instance.example.com/fe/js/app.js:994:18</pre>
                            </li>

                            <li>
                                <p>The stack trace at the sink was:</p>
                                <pre class="code">at Object.dXSzc (&lt;anonymous&gt;:1:107608)
at Object.skeuk (&lt;anonymous&gt;:1:548616)
at History.replaceState (&lt;anonymous&gt;:1:548864)
at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at 1 (https://instance.example.com/fe/js/app.js:172609:18)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)</pre>
                            </li>

                        </ul>
                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="547516727130662912"></a>
                <h2>DOM data manipulation (DOM-based)</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
                    <b>location.hash</b> and passed to <b>history.replaceState</b>.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
                    <p>DOM data manipulation arises when a script writes controllable data to a field within the DOM
                        that is used within the visible UI or client-side application logic. An attacker may be able to
                        use the vulnerability to construct a URL that, if visited by another application user, will
                        modify the appearance or behavior of the client-side UI. An attacker may be able to leverage
                        this to perform virtual defacement of the application, or possibly to induce the user to perform
                        unintended actions. </p>

                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
                        execution paths to determine whether this vulnerability is indeed present, or whether
                        mitigations are in place that would prevent exploitation.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to
                        dynamically write to DOM data fields any data that originated from any untrusted source. If the
                        desired functionality of the application means that this behavior is unavoidable, then defenses
                        must be implemented within the client-side code to prevent malicious data from being stored. In
                        general, this is best achieved by using a whitelist of permitted values.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/dom-based/dom-data-manipulation">Web Security
                                Academy: DOM data manipulation</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
                                Validation</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/153.html">CAPEC-153: Input Data
                                Manipulation</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Dynamic analysis:</h3>
                    <div>
                        <p>
                            Data is read from <b>location.hash</b> and passed to <b>history.replaceState</b>.
                        </p>
                        <ul>
                            <li>
                                <p>The following value was injected into the source:</p>
                                <pre
                                    class="code">#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
                            </li>

                            <li>
                                <p>The previous value reached the sink:</p>
                                <pre
                                    class="code">https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
                            </li>

                            <li>
                                <p>The stack trace at source was:</p>
                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
at get hash (&lt;anonymous&gt;:1:249429)
at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:31)
at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at 1 (https://instance.example.com/fe/js/app.js:172609:18)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
at https://instance.example.com/fe/js/app.js:994:18</pre>
                            </li>

                            <li>
                                <p>The stack trace at the sink was:</p>
                                <pre class="code">at Object.dXSzc (&lt;anonymous&gt;:1:107608)
at Object.skeuk (&lt;anonymous&gt;:1:548616)
at History.replaceState (&lt;anonymous&gt;:1:548864)
at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218154:9)
at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at 1 (https://instance.example.com/fe/js/app.js:172609:18)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)</pre>
                            </li>

                        </ul>
                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="3668057833940777984"></a>
                <h2>DOM data manipulation (DOM-based)</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
                    <b>location.pathname</b> and passed to <b>history.replaceState</b>.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
                    <p>DOM data manipulation arises when a script writes controllable data to a field within the DOM
                        that is used within the visible UI or client-side application logic. An attacker may be able to
                        use the vulnerability to construct a URL that, if visited by another application user, will
                        modify the appearance or behavior of the client-side UI. An attacker may be able to leverage
                        this to perform virtual defacement of the application, or possibly to induce the user to perform
                        unintended actions. </p>

                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
                        execution paths to determine whether this vulnerability is indeed present, or whether
                        mitigations are in place that would prevent exploitation.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to
                        dynamically write to DOM data fields any data that originated from any untrusted source. If the
                        desired functionality of the application means that this behavior is unavoidable, then defenses
                        must be implemented within the client-side code to prevent malicious data from being stored. In
                        general, this is best achieved by using a whitelist of permitted values.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/dom-based/dom-data-manipulation">Web Security
                                Academy: DOM data manipulation</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
                                Validation</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/153.html">CAPEC-153: Input Data
                                Manipulation</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Dynamic analysis:</h3>
                    <div>
                        <p>
                            Data is read from <b>location.pathname</b> and passed to <b>history.replaceState</b>.
                        </p>
                        <ul>
                            <li>
                                <p>The following value was injected into the source:</p>
                                <pre
                                    class="code">///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;</pre>
                            </li>

                            <li>
                                <p>The previous value reached the sink:</p>
                                <pre
                                    class="code">https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
                            </li>

                            <li>
                                <p>The stack trace at source was:</p>
                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
at get pathname (&lt;anonymous&gt;:1:249642)
at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:13)
at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at 1 (https://instance.example.com/fe/js/app.js:172609:18)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
at https://instance.example.com/fe/js/app.js:994:18</pre>
                            </li>

                            <li>
                                <p>The stack trace at the sink was:</p>
                                <pre class="code">at Object.dXSzc (&lt;anonymous&gt;:1:107608)
at Object.skeuk (&lt;anonymous&gt;:1:548616)
at History.replaceState (&lt;anonymous&gt;:1:548864)
at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
at https://instance.example.com/fe/js/cv-script.js:220724:27</pre>
                            </li>

                            <li>
                                <p>This was triggered by a <b>loadend</b> event.</p>
                            </li>

                        </ul>
                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="7064533534944179200"></a>
                <h2>DOM data manipulation (DOM-based)</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
                    <b>location.search</b> and passed to <b>history.replaceState</b>.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
                    <p>DOM data manipulation arises when a script writes controllable data to a field within the DOM
                        that is used within the visible UI or client-side application logic. An attacker may be able to
                        use the vulnerability to construct a URL that, if visited by another application user, will
                        modify the appearance or behavior of the client-side UI. An attacker may be able to leverage
                        this to perform virtual defacement of the application, or possibly to induce the user to perform
                        unintended actions. </p>

                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
                        execution paths to determine whether this vulnerability is indeed present, or whether
                        mitigations are in place that would prevent exploitation.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to
                        dynamically write to DOM data fields any data that originated from any untrusted source. If the
                        desired functionality of the application means that this behavior is unavoidable, then defenses
                        must be implemented within the client-side code to prevent malicious data from being stored. In
                        general, this is best achieved by using a whitelist of permitted values.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/dom-based/dom-data-manipulation">Web Security
                                Academy: DOM data manipulation</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
                                Validation</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/153.html">CAPEC-153: Input Data
                                Manipulation</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Dynamic analysis:</h3>
                    <div>
                        <p>
                            Data is read from <b>location.search</b> and passed to <b>history.replaceState</b>.
                        </p>
                        <ul>
                            <li>
                                <p>The following value was injected into the source:</p>
                                <pre
                                    class="code">?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;</pre>
                            </li>

                            <li>
                                <p>The previous value reached the sink:</p>
                                <pre
                                    class="code">https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
                            </li>

                            <li>
                                <p>The stack trace at source was:</p>
                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
at get search (&lt;anonymous&gt;:1:248279)
at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:23)
at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at 1 (https://instance.example.com/fe/js/app.js:172609:18)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
at https://instance.example.com/fe/js/app.js:994:18</pre>
                            </li>

                            <li>
                                <p>The stack trace at the sink was:</p>
                                <pre class="code">at Object.dXSzc (&lt;anonymous&gt;:1:107608)
at Object.skeuk (&lt;anonymous&gt;:1:548616)
at History.replaceState (&lt;anonymous&gt;:1:548864)
at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
at https://instance.example.com/fe/js/cv-script.js:220724:27</pre>
                            </li>

                            <li>
                                <p>This was triggered by a <b>loadend</b> event.</p>
                            </li>

                        </ul>
                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="7933681146442143744"></a>
                <h2>DOM data manipulation (DOM-based)</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    The application may be vulnerable to DOM-based DOM data manipulation. Data is read from
                    <b>location.hash</b> and passed to <b>history.replaceState</b>.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>DOM-based vulnerabilities arise when a client-side script reads data from a controllable part of
                        the DOM (for example, the URL) and processes this data in an unsafe way.</p>
                    <p>DOM data manipulation arises when a script writes controllable data to a field within the DOM
                        that is used within the visible UI or client-side application logic. An attacker may be able to
                        use the vulnerability to construct a URL that, if visited by another application user, will
                        modify the appearance or behavior of the client-side UI. An attacker may be able to leverage
                        this to perform virtual defacement of the application, or possibly to induce the user to perform
                        unintended actions. </p>

                    <p>Burp Suite automatically identifies this issue using dynamic and static code analysis. Static
                        analysis can lead to false positives that are not actually exploitable. If Burp Scanner has not
                        provided any evidence resulting from dynamic analysis, you should review the relevant code and
                        execution paths to determine whether this vulnerability is indeed present, or whether
                        mitigations are in place that would prevent exploitation.</p>
                </div>

                <h3>
                    Issue remediation:
                </h3>
                <div>
                    <p>The most effective way to avoid DOM-based DOM data manipulation vulnerabilities is not to
                        dynamically write to DOM data fields any data that originated from any untrusted source. If the
                        desired functionality of the application means that this behavior is unavoidable, then defenses
                        must be implemented within the client-side code to prevent malicious data from being stored. In
                        general, this is best achieved by using a whitelist of permitted values.</p>
                </div>

                <h3>References</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://portswigger.net/web-security/dom-based/dom-data-manipulation">Web Security
                                Academy: DOM data manipulation</a></li>
                    </ul>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
                                Validation</a></li>
                        <li><a href="https://capec.mitre.org/data/definitions/153.html">CAPEC-153: Input Data
                                Manipulation</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3/m-login HTTP/2
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/2 200 OK
                        Date: Tue, 05 Nov 2024 21:59:12 GMT
                        Content-Type: text/html; charset=UTF-8
                        Content-Length: 1906
                        Server: Apache/2.4.62 (Ubuntu)
                        X-Frame-Options: SAMEORIGIN
                        Content-Security-Policy: frame-ancestors &#39;self&#39; https://staging.example.com
                        X-Powered-By: Express
                        Accept-Ranges: bytes
                        Etag: W/&quot;772-nTX2V1HNhmftVEdlcx8ktFJUONI-gzip&quot;
                        Vary: Accept-Encoding

                        &lt;!DOCTYPE html&gt;
                        &lt;html lang=&quot;&quot;&gt;
                        &lt;head&gt;
                        &lt;meta charset=&quot;utf-8&quot; /&gt;
                        &lt;meta http-equiv=&quot;X-UA-Compatible&quot; content=&quot;IE=edge&quot; /&gt;
                        &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width,initial-scale=1.0<div
                            class="snip"><span><span>Snip</span></span></div>
                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Dynamic analysis:</h3>
                    <div>
                        <p>
                            Data is read from <b>location.hash</b> and passed to <b>history.replaceState</b>.
                        </p>
                        <ul>
                            <li>
                                <p>The following value was injected into the source:</p>
                                <pre
                                    class="code">#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
                            </li>

                            <li>
                                <p>The previous value reached the sink:</p>
                                <pre
                                    class="code">https://instance.example.com/fe///fe/m3/m-login//elcs7kifmd%27%22%60'%22/elcs7kifmd/%3E%3Celcs7kifmd//%3Egkr4l404dv&amp;?g49p4yw5cy=g49p4yw5cy%27%22`'"/g49p4yw5cy/&gt;&lt;g49p4yw5cy/\&gt;zgrotg0z2s&amp;#hj8js9yzmu=hj8js9yzmu%27%22`'"/hj8js9yzmu/&gt;&lt;hj8js9yzmu/\&gt;ea3izlhk1m&amp;</pre>
                            </li>

                            <li>
                                <p>The stack trace at source was:</p>
                                <pre class="code">at Object._0x165f99 [as proxiedGetterCallback] (&lt;anonymous&gt;:1:557377)
at get hash (&lt;anonymous&gt;:1:249429)
at createCurrentLocation (https://instance.example.com/fe/js/cv-script.js:218038:31)
at useHistoryStateNavigation (https://instance.example.com/fe/js/cv-script.js:218149:16)
at createWebHistory (https://instance.example.com/fe/js/cv-script.js:218239:31)
at ./src/router/index.ts (https://instance.example.com/fe/js/app.js:166430:79)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/apiClient/apiClient.ts (https://instance.example.com/fe/js/app.js:142756:65)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/apps/m3/services/m.login.service.ts (https://instance.example.com/fe/js/app.js:144223:102)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./node_modules/cache-loader/dist/cjs.js?!./node_modules/babel-loader/lib/index.js!./node_modules/ts-loader/index.js?!./node_modules/cache-loader/dist/cjs.js?!./node_modules/vue-loader-v16/dist/index.js?!./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:1121:105)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue?vue&amp;type=script&amp;lang=ts (https://instance.example.com/fe/js/app.js:106648:313)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/App.vue (https://instance.example.com/fe/js/app.js:106604:90)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at ./src/main.ts (https://instance.example.com/fe/js/app.js:166283:66)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at fn (https://instance.example.com/fe/js/app.js:151:20)
at 1 (https://instance.example.com/fe/js/app.js:172609:18)
at __webpack_require__ (https://instance.example.com/fe/js/app.js:854:30)
at checkDeferredModules (https://instance.example.com/fe/js/app.js:46:23)
at https://instance.example.com/fe/js/app.js:994:18</pre>
                            </li>

                            <li>
                                <p>The stack trace at the sink was:</p>
                                <pre class="code">at Object.dXSzc (&lt;anonymous&gt;:1:107608)
at Object.skeuk (&lt;anonymous&gt;:1:548616)
at History.replaceState (&lt;anonymous&gt;:1:548864)
at changeLocation (https://instance.example.com/fe/js/cv-script.js:218185:60)
at Object.replace (https://instance.example.com/fe/js/cv-script.js:218201:9)
at finalizeNavigation (https://instance.example.com/fe/js/cv-script.js:220844:31)
at https://instance.example.com/fe/js/cv-script.js:220724:27</pre>
                            </li>

                            <li>
                                <p>This was triggered by a <b>loadend</b> event.</p>
                            </li>

                        </ul>
                    </div>
                </div>
            </div>
        </div>

        <div class="section divider"></div>
        <div class="section divider"></div>

        <div class="section details standalone-section">
            <h1>More details for http://instance.example.com</h1>
        </div>

        <div class="section details issue-type-container">
            <div class="issue-container">
                <a name="3588084604190000128"></a>
                <h2>Input returned in response (reflected)</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    The value of the URL path folder 1 is copied into the application's response.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Reflection of input arises when data is copied from a request and echoed into the application's
                        immediate response.</p>
                    <p>Input being returned in application responses is not a vulnerability in its own right. However,
                        it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open
                        redirection, content spoofing, and response header injection. Additionally, some server-side
                        vulnerabilities such as SQL injection are often easier to identify and exploit when input is
                        returned in responses. In applications where input retrieval is rare and the environment is
                        resistant to automated testing (for example, due to a web application firewall), it might be
                        worth subjecting instances of it to focused manual testing. </p>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
                                Validation</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe<span class="highlight">s56j3607g3</span>/m3/m-login HTTP/1.1
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/1.1 301 Moved Permanently
                        Server: awselb/2.0
                        Date: Tue, 05 Nov 2024 22:04:46 GMT
                        Content-Type: text/html
                        Content-Length: 134
                        Connection: close
                        Location: https://instance.example.com:443/fe<span
                            class="highlight">s56j3607g3</span>/m3/m-login

                        &lt;html&gt;
                        &lt;head&gt;&lt;title&gt;301 Moved Permanently&lt;/title&gt;&lt;/head&gt;
                        &lt;body&gt;
                        &lt;center&gt;&lt;h1&gt;301 Moved Permanently&lt;/h1&gt;&lt;/center&gt;
                        &lt;/body&gt;
                        &lt;/html&gt;
                    </div>
                </div>
            </div>
            <div class="issue-container">
                <a name="6924794329102809088"></a>
                <h2>Input returned in response (reflected)</h2>
                <a href="">/fe/m3/m-login</a>

                <h3>Issue detail:</h3>
                <div>
                    The value of the URL path folder 2 is copied into the application's response.
                </div>

                <h3>
                    Issue background:
                </h3>
                <div>
                    <p>Reflection of input arises when data is copied from a request and echoed into the application's
                        immediate response.</p>
                    <p>Input being returned in application responses is not a vulnerability in its own right. However,
                        it is a prerequisite for many client-side vulnerabilities, including cross-site scripting, open
                        redirection, content spoofing, and response header injection. Additionally, some server-side
                        vulnerabilities such as SQL injection are often easier to identify and exploit when input is
                        returned in responses. In applications where input retrieval is rare and the environment is
                        resistant to automated testing (for example, due to a web application firewall), it might be
                        worth subjecting instances of it to focused manual testing. </p>
                </div>

                <h3>Vulnerability classifications</h3>
                <div class="no-bullets">
                    <ul>
                        <li><a href="https://cwe.mitre.org/data/definitions/20.html">CWE-20: Improper Input
                                Validation</a></li>
                        <li><a href="https://cwe.mitre.org/data/definitions/116.html">CWE-116: Improper Encoding or
                                Escaping of Output</a></li>
                    </ul>
                </div>

                <div class="evidence-container">
                    <h3>Request:</h3>
                    <div class="request-response">GET /fe/m3<span class="highlight">mx6wpfgqge</span>/m-login HTTP/1.1
                        Host: instance.example.com
                        Accept-Encoding: gzip, deflate, br
                        Accept:
                        text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                        Accept-Language: en-US;q=0.9,en;q=0.8
                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
                        Chrome/130.0.6723.70 Safari/537.36
                        Connection: close
                        Cache-Control: max-age=0
                        Upgrade-Insecure-Requests: 1
                        Sec-CH-UA: &quot;.Not/A)Brand&quot;;v=&quot;99&quot;, &quot;Google
                        Chrome&quot;;v=&quot;130&quot;, &quot;Chromium&quot;;v=&quot;130&quot;
                        Sec-CH-UA-Platform: Windows
                        Sec-CH-UA-Mobile: ?0

                    </div>
                </div>
                <div class="evidence-container">
                    <h3>Response:</h3>
                    <div class="request-response">HTTP/1.1 301 Moved Permanently
                        Server: awselb/2.0
                        Date: Tue, 05 Nov 2024 22:05:07 GMT
                        Content-Type: text/html
                        Content-Length: 134
                        Connection: close
                        Location: https://instance.example.com:443/fe/m3<span
                            class="highlight">mx6wpfgqge</span>/m-login

                        &lt;html&gt;
                        &lt;head&gt;&lt;title&gt;301 Moved Permanently&lt;/title&gt;&lt;/head&gt;
                        &lt;body&gt;
                        &lt;center&gt;&lt;h1&gt;301 Moved Permanently&lt;/h1&gt;&lt;/center&gt;
                        &lt;/body&gt;
                        &lt;/html&gt;
                    </div>
                </div>
            </div>
        </div>

        <div class="section divider"></div>

    </div>
</body>

</html>